lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFmK-GyUNPMcKQ03ke0Qmu6Oan6-PZPp9p5QAuoZ-PdaWGN8=w@mail.gmail.com>
Date: Sat, 23 Aug 2025 11:51:27 -0400
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] libheif v1.21.0 Integer Overflow in Y4M Loader leading to
 Uncontrolled Memory Allocation

An integer overflow vulnerability exists in the Y4M input loader (loadY4M
in decoder_y4m.cc) of libheif. The loader fails to properly validate the
width and height values declared in the Y4M file header. Supplying a
crafted .y4m file with extremely large dimensions (e.g., W2147483647
H2147483647) causes integer overflow during buffer size calculations. This
results in uncontrolled memory allocation requests that exceed supported
limits. Depending on the build and allocator behavior, this may cause a
denial of service (application crash or out-of-memory) or heap buffer
overflow leading to potential memory corruption.

*Impact*

   -

   *Denial of Service (DoS):* Application crash or OOM when parsing
   malicious Y4M.
   -

   *Potential Memory Corruption:* If allocation wraps around to a smaller
   buffer, subsequent writes may overrun heap memory, possibly leading to
   arbitrary code execution under certain conditions.


*Proof of Concept:*Run through a libheif build with Y4M enabled (e.g.,
heif-enc or a harness linked against decoder_y4m.cc), AddressSanitizer
reports:

ERROR: AddressSanitizer: requested allocation size 0x400000000000000f ...
SUMMARY: AddressSanitizer: allocation-size-too-big in
HeifPixelImage::ImagePlane::alloc
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ