CVE-2022-43602

Name of the Vulnerable Software and Affected Versions OpenImageIO version 2.4.4.2

Description The issue is related to a buffer overflow in the close() function of the iffoutput component in the OpenImageIO library. This can be exploited by a remote attacker using a specially crafted file, potentially allowing access to confidential data, disrupting data integrity, and causing a denial of service. The vulnerability occurs when the ymax variable is set to 0xFFFF and m spec.format is TypeDesc::UINT8, leading to a heap buffer overflow.

Recommendations For OpenImageIO version 2.4.4.2, consider disabling the close() function in the iffoutput component until a patch is available. Restrict access to the IFFOutput::close() functionality to minimize the risk of exploitation. Avoid using the ymax variable with a value of 0xFFFF and m spec.format set to TypeDesc::UINT8 in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.