OpenImageIO Signed Integer Overflow Vulnerability in DPX Decoder Leading to Heap Out-of-Bounds Write

A signed 32-bit integer overflow vulnerability has been identified in OpenImageIO, a toolset for image file manipulation relevant to VFX and animation. This issue exists in versions prior to 3.0.18.0 and 3.1.13.0. The vulnerability arises in the DPX 4:2:2 decoder within the ConvertCbYCrYToRGB() function. The pixel-loop index expression 'i * 3' can overflow, causing a large negative pointer offset that leads to an out-of-bounds write, crashing the process. The vulnerability can be exploited by processing a crafted DPX file that exceeds a certain pixel count, triggering the overflow and subsequent crash.

Impact

Exploitation of this vulnerability causes an unconditional process crash after approximately 715 million pixels are processed. Additionally, the out-of-bounds write could be exploited to write a limited number of bytes just before the output buffer in heap memory, potentially leading to further exploitation.

Reproduction

To reproduce this vulnerability, use a version of OpenImageIO prior to the patched releases. A crafted DPX file that is approximately 1.43 GB in size can be used to trigger the vulnerability. This file should be processed with the 'oiiotool' or 'iinfo' commands, which will hash the file and, in the case of 'oiiotool', also process the image data. The signed integer overflow occurs during the conversion of the image data from the CbYCrY color space to RGB, specifically when the pixel count exceeds a threshold that causes the index calculation to overflow and create a negative pointer offset.

Remediation

Users can upgrade to OpenImageIO versions 3.0.18.0 or 3.1.13.0, where this vulnerability has been fixed.