OpenImageIO Heap Buffer Overflow Vulnerability in JPEG2000 Input Processing

A heap buffer overflow vulnerability has been identified in OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0. The issue arises in the JPEG2000 input processing, specifically in the 'jpeg2000input.cpp' file. The vulnerability is triggered by a signed integer overflow in buffer size calculations, which allows for the allocation of undersized buffers. This flaw can be exploited by writing pixels into the undersized buffer, causing a heap overflow. The vulnerability is present only in builds in which the 'USE_OPENJPH' flag is enabled.

Impact

Exploitation of this vulnerability leads to a heap buffer overflow, which can commonly be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced by opening a crafted JPEG2000 file that contains large dimensions, specifically one that would cause the buffer size calculation to exceed the maximum value for a signed 32-bit integer. This can be done by using an HTJ2K encoder to create a valid codestream with the necessary dimensions.

Remediation

Users can upgrade to OpenImageIO versions 3.0.18.0 or 3.1.13.0 to address this vulnerability.