lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFmK-GyBoD3vRNDByWBr=Jrt9AKzYUCRDpmZ1fCJA+qaQWH3AA@mail.gmail.com>
Date: Sat, 23 Aug 2025 10:13:26 -0400
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] libheif v1.21.0 Heap Buffer Overflow in Chunk::Chunk

The vulnerability resides in the constructor Chunk::Chunk (
libheif/sequences/chunk.cc:89). When parsing the Sample Size Box (stsz) of
a HEIF sequence track, the code allocates a std::vector<unsigned int> and
then appends entries for each sample size. The count used for allocation
and iteration is taken directly from the bitstream (Box_stsz::parse)
without verifying consistency between declared count and available data.

When the stsz box is malformed — e.g., declaring fewer entries than
actually present, or corrupted values — the constructor reads/writes beyond
the allocated vector buffer, triggering a heap buffer overflow.

*Attack Surface:*
Any application using libheif to parse untrusted HEIF sequences (e.g.,
media servers, thumbnail generators, messaging clients) may invoke this
vulnerable code. Triggering requires only opening a malicious .heic/.heif
file with a crafted sequence track.

*Impact:*


   -

   Out-of-bounds heap read/write → corruption of adjacent allocations.
   -

   Potential arbitrary code execution if heap metadata, C++ vtables, or
   other sensitive structures are corrupted.
   -

   At minimum, denial of service via crash.

*Evidence:*

==3015612==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x503000000c30
READ of size 4
#0 Chunk::Chunk(...) libheif/sequences/chunk.cc:89
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ