OpenImageIO Signed Integer Overflow Vulnerability in DPX ABGR Decoder Leading to Out-of-Bounds Read/Write

A signed 32-bit integer overflow vulnerability has been identified in OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0. The issue arises in the SwapRGBABytes() function when processing kABGR DPX images with large dimensions. The loop index expression 'i * 4' overflows, causing the function to calculate a large negative pointer offset. This vulnerability results in an immediate out-of-bounds read, followed by out-of-bounds write operations, creating a combined out-of-bounds read and write primitive.

Impact

Exploitation of this vulnerability causes a denial-of-service crash. Additionally, the out-of-bounds write primitive could be used to write a controlled number of bytes just before the output buffer, potentially leading to further exploitation.

Reproduction

The vulnerability can be reproduced using the OpenImageIO tool 'oiiotool' or the 'iinfo' command. After applying the patch for a previous overflow vulnerability, the same DPX file that triggered the earlier issue will cause a crash in the SwapRGBABytes function, demonstrating the out-of-bounds read and write vulnerability.

Remediation

Users can upgrade to OpenImageIO versions 3.0.18.0 or 3.1.13.0 to address this vulnerability.