lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFmK-GzC=L-ewcLTWU9Qjxa5L0xi05eM1UQ_XVinMZgB9=+PBg@mail.gmail.com>
Date: Sat, 23 Aug 2025 10:15:34 -0400
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] libheif 1.21.0 Use-After-Free / Dangling shared_ptr in Track
	Chunk Handling

The Track::init_sample_timing_table logic manages a
std::vector<std::shared_ptr<Chunk>> representing parsed sequence chunks.
With malformed HEIF sequence files, corrupted chunk tables may cause
premature destruction of Chunk objects while references remain in the
vector. Later accesses via std::__shared_ptr<Chunk>::get() return a
dangling pointer.

ASan reports these as heap-buffer-overflows because the stale pointer still
points into heap memory. In reality, the vulnerability is caused by
dangling shared_ptr state, i.e., a use-after-free on the Chunk object.

*Root Cause:*

   -

   Improper lifetime management of Chunk objects when parsing corrupted
   sequence metadata.
   -

   No validation that chunk indices map to live objects before
   dereferencing.

*Attack Surface:*

Triggered when a crafted HEIF sequence provides inconsistent or truncated
chunk layout metadata (stsc / stco / stsz).

*Impact:*

   -

   Use-after-free allows reads from freed memory and potentially controlled
   reuse of memory.
   -

   Possible heap information disclosure or corruption.
   -

   Exploitable in contexts with predictable allocator behavior → may allow
   arbitrary code execution.



*Evidence:*==3420210==ERROR: AddressSanitizer: heap-buffer-overflow on
address 0x502000000540
READ of size 8
#0 std::__shared_ptr<Chunk>::get() const .../shared_ptr_base.h:1667
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ