{"id":"CVE-2024-40630","summary":"HEIF Heap OOB Read in OpenImageIO","details":"OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation via a format-agnostic API with a feature set, scalability, and robustness needed for feature film production. In affected versions there is a bug in the heif input functionality of OpenImageIO. Specifically, in `HeifInput::seek_subimage()`.  In the worst case, this can lead to an information disclosure vulnerability, particularly for programs that directly use the `ImageInput` APIs. This bug has been addressed in commit `0a2dcb4c` which is included in the 2.5.13.1 release. Users are advised to upgrade. There are no known workarounds for this issue.","aliases":["GHSA-jjm9-9m4m-c8p2"],"modified":"2026-04-12T09:00:30.651280Z","published":"2024-07-15T19:15:06.310Z","related":["openSUSE-SU-2024:14200-1"],"database_specific":{"cwe_ids":["CWE-125"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40630.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/AcademySoftwareFoundation/OpenImageIO/blob/7c486a1121a4bf71d50ff555fab2770294b748d7/src/heif.imageio/heifinput.cpp#L250"},{"type":"ADVISORY","url":"https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-jjm9-9m4m-c8p2"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40630.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40630"},{"type":"FIX","url":"https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/0a2dcb4cf2c3fd4825a146cd3ad929d9d8305ce3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/academysoftwarefoundation/openimageio","events":[{"introduced":"0"},{"fixed":"0a2dcb4cf2c3fd4825a146cd3ad929d9d8305ce3"}]},{"type":"GIT","repo":"https://github.com/academysoftwarefoundation/openimageio","events":[{"introduced":"0"},{"fixed":"0a2dcb4cf2c3fd4825a146cd3ad929d9d8305ce3"}]}],"versions":["Arnold-3.4.72.0","Release-0.10.0","Release-1.0.0","Release-1.0.1","Release-1.1.0","Release-1.1.0-beta1","Release-1.1.0-beta2","Release-1.1.0-beta3","Release-1.1.0-beta4","Release-1.1.1","Release-1.3.0-dev","Release-1.3.1-dev","Release-1.3.2-dev","Release-1.3.3-dev","Release-1.3.4-dev","Release-1.3.5","Release-1.3.5-dev","Release-1.3.6-dev","Release-1.4.1dev","Release-1.4.2dev","Release-1.4.3dev","Release-1.4.4dev","Release-1.4.5dev","Release-1.4.6RC1","Release-1.5.0dev","Release-1.5.1dev","Release-1.5.2dev","Release-1.5.3dev","Release-1.5.4dev-pre-SIMD","Release-1.5.5dev","Release-1.5.6dev","Release-1.5.7dev","Release-1.6.1dev","Release-1.6.2dev","Release-1.6.3dev","Release-1.6.4dev","Release-1.6.6beta","Release-1.7.0dev","Release-1.7.1dev","Release-1.7.2dev","Release-1.7.3dev","Release-1.7.4dev","Release-1.7.5beta","Release-1.7.6RC1","Release-1.8.0dev","Release-1.8.1dev","Release-1.8.2dev","Release-1.8.3dev","Release-1.8.4dev","Release-1.9.1dev","Release-1.9.2dev","Release-1.9.3dev","Release-1.9.4dev","Release-2.0.0-beta1","Release-2.0.1-RC1","Release-2.1.0-dev","Release-2.1.1-dev","Release-2.1.2-dev","Release-2.1.3-dev","Release-2.1.4.0-dev","Release-2.1.5.0-dev","Release-2.1.7-beta","Release-2.1.8.0-RC1","Release-2.2.0.0-dev","Release-2.2.1.0-dev","Release-2.2.1.1-dev","Release-2.2.2.0-dev","Release-2.2.3.0-dev","Release-2.3.0.0-dev","Release-2.3.1.0-dev","Release-2.3.2.0-dev","Release-2.3.3.0-dev","Release-2.3.4.0-dev","arnold-3.4.71.0","spi-Arn3.4.71.0","spi-Arn3.4.72.0","spi-Arn3.4.73.6","spi-Arn3.4.73.7","spi-Arn3.5.0.0","spi-Arn3.5.10.0","spi-Arn3.5.11.0","spi-Arn3.5.12.0","spi-Arn3.5.13.1","spi-Arn3.5.14.0","spi-Arn3.5.16.0","spi-Arn3.5.2.0","spi-Arn3.5.24.0","spi-Arn3.5.25.0","spi-Arn3.5.26.0","spi-Arn3.5.28.0","spi-Arn3.5.31.0","spi-Arn3.5.35.0","spi-Arn3.5.37.0","spi-Arn3.5.41.0","spi-Arn3.5.45.0","spi-Arn3.5.45.1","spi-Arn3.5.48.0","spi-Arn3.5.5.0","spi-Arn3.5.50.0","spi-Arn3.5.66.0","spi-Arn3.5.68.0","spi-Arn3.5.75.0","spi-Arn3.5.8.0","spi-Arn3.5.82.0","spi-Arn3.5.90.0","spi-Arn3.5.91.0","spi-Arn3.5.93.10","spi-Arn3.6.18.0","spi-Arn3.6.21.3","spi-Arn3.6.27.0","spi-Arn3.6.33.4","spi-Arn3.6.36.0","spi-Arn3.6.64.6","spi-Arn3.6.69.3","spi-Arn3.6.7.1","spi-Arn3.6.72.1","spi-Arn3.7.23.3","spi-Arn3.7.25.0","spi-Arn3.7.42.0","spi-SpComp2-v20","spi-SpComp2-v9","spi-spcomp2-release-38.0","spi-spcomp2-release-39.1","spi-spcomp2-release-41.0","spi-spcomp2-release-42.0-rhel7","spi-spcomp2-release-43.0","spi-spcomp2-release-44.0","spi-spcomp2-release-44.1","spi-spcomp2-release-44.2","spi-spcomp2-release-45.0","spi-spcomp2-release-45.1","spi-spcomp2-release-45.3","spi-spcomp2-release-45.4","spi-spcomp2-release-47.0","spi-spcomp2-release-48.0","spi-spcomp2-release-49.1","spi-v7-Arn3.4.73.3","spi-v8-Arn3.4.73.6","spiArn-3.6.74.0","spiArn-3.6.84.0","spiArn-3.6.86.0","spiArn-3.6.94.0","spiArn3.5.45.0","spiArn3.5.45.1","spiArn3.5.48.0","spiArn3.5.50.0","spiArn3.5.66.0","spiArn3.5.68.0","spiArn3.5.75.0","spiArn3.5.82.0","v2.3.5.0-dev","v2.3.6.0-dev","v2.4.0.0-dev","v2.4.0.1-dev","v2.4.0.2-dev","v2.4.0.3-dev","v2.4.1.1-dev","v2.4.2.0-dev","v2.4.2.1-dev","v2.4.2.2-dev","v2.5.0.0-dev","v2.5.10.0","v2.5.10.1","v2.5.11.0","v2.5.12.0","v2.5.13.0","v2.5.2.0-dev","v2.5.3.0-beta1","v2.5.3.1-beta2","v2.5.3.2-rc1","v2.5.4.0","v2.5.5.0","v2.5.6.0","v2.5.7.0","v2.5.8.0","v2.5.9.0"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","target":{"file":"src/heif.imageio/heifinput.cpp"},"source":"https://github.com/academysoftwarefoundation/openimageio/commit/0a2dcb4cf2c3fd4825a146cd3ad929d9d8305ce3","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["103573966870306543383948836987695999610","66276964886249471145584212470127578146","221309653061070245555640225979569668582","161057805417490905985910963233721280302","205734884234113577579874720623205435792"]},"id":"CVE-2024-40630-75f0fc28"},{"signature_version":"v1","target":{"file":"src/heif.imageio/heifinput.cpp","function":"HeifInput::seek_subimage"},"source":"https://github.com/academysoftwarefoundation/openimageio/commit/0a2dcb4cf2c3fd4825a146cd3ad929d9d8305ce3","signature_type":"Function","deprecated":false,"digest":{"function_hash":"327011360446793982274689712196680027419","length":4737},"id":"CVE-2024-40630-95ec7a56"}],"vanir_signatures_modified":"2026-04-12T09:00:30Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40630.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"}]}