OpenImageIO Heap-Based Buffer Overflow Vulnerability in HEIF Decoder Allowing Memory Corruption and Potential Code Execution

A heap-based buffer overflow vulnerability has been identified in the HEIF decoder of OpenImageIO, affecting versions prior to 3.0.18.0 and 3.1.13.0. The vulnerability arises from a subimage metadata mismatch in crafted images, leading to out-of-bounds writes, memory corruption, and the potential for code execution. This issue is present in OpenImageIO 3.2.0.1dev.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, allowing for memory corruption and potentially leading to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using the 'iconvert' command-line tool included with OpenImageIO. After building OpenImageIO with AddressSanitizer and UndefinedBehaviorSanitizer enabled, the 'iconvert' tool can be used to convert a crafted HEIF file that exploits the vulnerability into a TIFF file. The AddressSanitizer will then report the heap-buffer-overflow error, indicating that the vulnerability has been successfully exploited.

Remediation

Users can upgrade to OpenImageIO versions 3.0.18.0 or 3.1.13.0 to address this vulnerability.