Medoedus

**Name of the Vulnerable Software and Affected Versions** OpenImageIO versions prior to 3.0.18.0 OpenImageIO versions prior to 3.1.13.0 **Description** OpenImageIO is a toolset for reading, writing, and manipulating image files for VFX and animation. A heap buffer overflow and crash can occur when processing a crafted .sgi file where the RLE (Run-Length Encoding) count exceeds the scanline width. This happens because the `sgiinput.cpp` file uses `OIIO DASSERT` for bounds checking in the RLE decode loop; in release builds, this macro is compiled as a no-op, effectively disabling the bounds checks. **Recommendations** Update to version 3.0.18.0. Update to version 3.1.13.0.

**Name of the Vulnerable Software and Affected Versions** OpenImageIO versions prior to 3.0.18.0 OpenImageIO versions prior to 3.1.13.0 **Description** An issue exists in the toolset used for reading, writing, and manipulating image files for VFX and animation. Specifically, the `softimageinput.cpp` file fails to clamp the run length to the remaining scanline width before writing pixels in both mixed RLE (Run-Length Encoding, a form of lossless data compression) and pure RLE paths. While the raw packet path uses `std::min` for clamping, the RLE paths bypass this check. A specially crafted .pic file can trigger a heap overflow of up to 65535 bytes. **Recommendations** Update to version 3.0.18.0. Update to version 3.1.13.0.

**Name of the Vulnerable Software and Affected Versions** OpenImageIO versions prior to 3.0.18.0 OpenImageIO versions prior to 3.1.13.0 **Description** OpenImageIO is a toolset for reading, writing, and manipulating image files for VFX and animation. An issue exists in `jpeg2000input.cpp` where the buffer size is computed using signed 32-bit arithmetic via the calculation `const int bufsize = w * h * ch * buffer bpp`. If the resulting product exceeds `INT MAX`, the value wraps to zero or a small number, causing `m buf.resize()` to allocate an undersized buffer. This leads to a heap overflow during subsequent pixel write loops. This issue is conditional on the `USE OPENJPH` build flag. **Recommendations** Update to version 3.0.18.0. Update to version 3.1.13.0.

**Name of the Vulnerable Software and Affected Versions** OpenEXR versions 3.0.0 through 3.2.8 OpenEXR versions 3.3.0 through 3.3.10 OpenEXR versions 3.4.0 through 3.4.10 **Description** An integer overflow exists in the `ImageChannel::resize()` function, which can lead to a heap out-of-bounds (OOB) write—a condition where data is written outside the boundaries of the allocated memory buffer—via the OpenEXRUtil public API. **Recommendations** Update to version 3.2.9 Update to version 3.3.11 Update to version 3.4.11

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.25.0 **Description** An off-by-one error exists in the path traversal filter within `channels/drive/client/drive file.c`. The `contains dotdot()` function fails to detect `..` when it is the final component of a path without a trailing separator, although it correctly identifies `../` and `..` mid-path. A malicious RDP server can exploit this to read, list, or write files one directory above the client's shared folder via RDPDR requests, provided the client connects with drive redirection enabled. **Recommendations** Update to version 3.25.0.