OpenImageIO Integer Overflow Vulnerability in TGA Decoder Leading to Out-of-Bounds Read

A vulnerability exists in OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0, specifically within the TGA image decoder. The issue arises from an integer overflow in the bounds check of the 'decode_pixel' function, where the calculation of the palette index can wrap around and bypass validation checks. This flaw allows for an out-of-bounds read of approximately 4 GB, causing a segmentation fault. The vulnerability is triggered by crafting a TGA file with specific properties that exploit the flawed arithmetic in the palette indexing.

Impact

Exploitation of this vulnerability causes an unconditional crash of the application when processing a crafted TGA file with a 32-bit color depth. Additionally, the out-of-bounds read could be leveraged to create a primitive for further exploitation.

Reproduction

The vulnerability can be reproduced by using the OpenImageIO tool 'oiiotool' or the 'iinfo' command-line utility to process a specially crafted TGA file that exploits the integer overflow in the palette decoding. The AddressSanitizer will report a segmentation fault due to the out-of-bounds read.

Remediation

Users can upgrade to OpenImageIO versions 3.0.18.0 or 3.1.13.0, where this vulnerability has been fixed.