CVE-2022-36354

Name of the Vulnerable Software and Affected Versions OpenImageIO versions prior to v2.3.20 OpenImageIO master-branch-9aeece7a and v2.3.19.0

Description A heap out-of-bounds read issue exists in the RLA format parser of OpenImageIO, specifically in the handling of run-length encoded byte spans. This can be triggered by a malformed RLA file, leading to an out-of-bounds read of heap metadata and potentially resulting in a sensitive information leak. An attacker can exploit this by providing a malicious file.

Recommendations For OpenImageIO versions prior to v2.3.20, update to version v2.3.20 or later to resolve the issue. For OpenImageIO master-branch-9aeece7a and v2.3.19.0, avoid using the RLA format parser until a patch is available. As a temporary workaround, consider restricting access to the RLA file format to minimize the risk of exploitation.