OpenImageIO Signed Integer Overflow in SwapRGBABytes Leads to OOB R/W (CVE-2026-4309)

漏洞概述 标题: Signed integer overflow in SwapRGBABytes loop index leads to out-of-bounds read/write in DPX ABGR decoder 描述: 在 函数的循环索引表达式 中存在一个有符号 32 位整数溢出。该函数用于计算较大的指针偏移量，在处理具有大尺寸的 KAGOR DPX 图像时会导致崩溃。 直接崩溃: 在迭代 时，表达式 产生一个大的负数有符号值作为指针偏移量，导致在 处发生越界读取。 后续写入: 随后的写入操作在行 46-49 针对相同的包装偏移量，从而产生了一个组合的越界读/写原语。 严重程度: High (CVSS v3 基础指标: 攻击向量 Network, 攻击复杂度 Low, 特权要求 None, 用户交互 Required, 范围 Unchanged, 机密性 High, 完整性 High, 可用性 High) CVSS v3 评分: 8.8 / 10 CVE ID: CVE-2026-4309 影响范围 受影响版本: 3.2.0.1-dev 修复版本: >= 3.0.18.0, >= 3.1.13.0, >= 3.2.0.2 影响: - 即时影响: 相同的 PoC 文件会导致拒绝服务 (DoS)，无论是否修补了 漏洞。 - 潜在影响: 越界写入原语——通过选择尺寸使得 包装为一个小负数值而不是最小值，攻击者可以覆盖缓冲区之前的边界。 修复方案 建议修复 (DPXColorConverter.cpp:41): 将循环计数器 参数从 更改为 。 代码变更: Before (修复前): After (修复后): 其他相关修复: 需要在 (行 115, 113), (行 129, 124), 和 (行 163, 124) 中进行相同的更改。 应拒绝 的图像，然后再调用 。 Proof-of-concept (PoC) PoC 文件: (约 2.1 GB 稀疏文件) 运行命令: Sanitizer 输出 (修复 QueryRGBBufferResizeInternal 后，在 SwapRGBABytes 第 45 行崩溃): ```text ./bin/ois1tool --hash poc_dpx_abgr_ood.dpx 2>&1 /home/roo/Desktop/OpenImageIO/OpenImageIO/src/lib_ois1tool/Ois1toolConverter.cpp:47:25: runtime error: load of value 1, which is not a valid value for type 'unsigned char' AddressSanitizer:DEADLYSIGNAL ================================================================= ==235875==ERROR: AddressSanitizer: SEGV on unknown address 0x5a54d248000 (pc 0x5a54d248000 bp 0x7fffffffc200 sp 0x7fffffffc000) ==235875==The signal is caused by a READ memory access. ==235875==Hint: address points to the zero page. #0 0x5a54d248000 in ois1::Convert::ToRGBInternal(ois1::Descriptor, ois1::DataSize, ois1::Characteristic, void const, void, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int, int,

目標達成すべての支援者に感謝 — 100%達成しました！

OpenImageIO Signed Integer Overflow in SwapRGBABytes Leads to OOB R/W (CVE-2026-4309)

このソースからの他の記事

目標達成 すべての支援者に感謝 — 100%達成しました！

OpenImageIO Signed Integer Overflow in SwapRGBABytes Leads to OOB R/W (CVE-2026-4309)

このソースからの他の記事

目標達成すべての支援者に感謝 — 100%達成しました！