OpenImageIO Heap-Based Buffer Overflow Vulnerability in DPX Decoder

A signed integer overflow vulnerability has been identified in OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0. The issue arises in the QueryRGBBufferSizeInternal() function within DPXColorConverter.cpp, where buffer sizes are calculated using 32-bit signed integer arithmetic. This flaw allows crafted DPX image files to cause a heap-based out-of-bounds write. The vulnerability is triggered when the pixel count is large enough to overflow the integer multiplication, leading to an incorrect buffer size allocation. As a result, an undersized heap buffer is created, and when image data is written to this buffer, it causes a heap buffer overflow. This vulnerability can be exploited to manipulate memory in a way that could lead to a crash or potentially allow arbitrary code execution in applications that use OpenImageIO to read pixel data.

Impact

Exploitation of this vulnerability causes an unconditional process crash when a crafted DPX file is opened, regardless of the application used. Additionally, the heap buffer overflow can corrupt adjacent heap memory, potentially leading to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using the OpenImageIO tool 'oiiotool' or the 'iinfo' command-line utility to process a crafted DPX file that triggers the integer overflow. Two different DPX files can be used, each exploiting a different case of the vulnerability: one for the kCbYCr descriptor and another for the kABGR descriptor.

Remediation

Users can upgrade to OpenImageIO versions 3.0.18.0 or 3.1.13.0 to address this vulnerability.