Biniamf

**Name of the Vulnerable Software and Affected Versions** OpenImageIO versions prior to 3.0.18.0 OpenImageIO versions prior to 3.1.13.0 **Description** A signed integer overflow exists in the `QueryRGBBufferSizeInternal()` function within `DPXColorConverter.cpp` when processing crafted DPX image files. The function uses 32-bit signed integer arithmetic with negative multipliers to compute buffer sizes; however, a sufficiently large pixel count can cause the multiplication to overflow `INT MIN` and wrap to a small positive value. The system interprets this value as the required buffer size and allocates an undersized heap buffer via `m decodebuf.resize()`. Subsequently, writing the full image data via `fread` results in a heap-based out-of-bounds write. This can lead to a denial of service or potentially arbitrary code execution through heap corruption. **Recommendations** Update to version 3.0.18.0. Update to version 3.1.13.0.

**Name of the Vulnerable Software and Affected Versions** OpenImageIO versions prior to 3.0.18.0 OpenImageIO versions prior to 3.1.13.0 **Description** A signed 32-bit integer overflow occurs in the pixel-loop index expression `i * 3` within the `ConvertCbYCrYToRGB()` function. This causes the function to calculate a large negative pointer offset into the output buffer, resulting in an out-of-bounds write that can lead to a process crash and denial of service. **Recommendations** Update to version 3.0.18.0. Update to version 3.1.13.0. As a temporary workaround, restrict the use of the `ConvertCbYCrYToRGB()` function until the updates are applied.

**Name of the Vulnerable Software and Affected Versions** OpenImageIO versions prior to 3.0.18.0 OpenImageIO versions prior to 3.1.13.0 **Description** A signed 32-bit integer overflow occurs in the loop index expression `i * 4` within the `SwapRGBABytes()` function when processing kABGR DPX images with large dimensions. This causes the function to compute a large negative pointer offset, resulting in an out-of-bounds read and write. This issue can be exploited by a remote attacker to cause a denial of service. **Recommendations** Update to version 3.0.18.0. Update to version 3.1.13.0.

**Name of the Vulnerable Software and Affected Versions** OpenImageIO versions prior to 3.0.18.0 OpenImageIO versions prior to 3.1.13.0 **Description** An issue exists in the `TGAInput::decode pixel()` function where the bounds check computes `k` + `palbytespp` using unsigned 32-bit arithmetic. If `k` is 0xFFFFFFFC and `palbytespp` is 4, the addition wraps to 0, bypassing the `palette alloc size` check. This allows the subsequent palette access to use the unwrapped `k` value as an index, resulting in a read operation approximately 4 GB beyond the start of the palette buffer, leading to a segmentation fault (SEGV), which is an abnormal termination of a program when it attempts to access a memory location that it is not allowed to access. **Recommendations** Update to version 3.0.18.0. Update to version 3.1.13.0.