libavif Integer Overflow and Buffer Overflow Vulnerability in makeRoom Function

A vulnerability exists in libavif versions prior to 1.3.0, specifically in the makeRoom function within stream.c. The issue arises from an integer overflow that leads to a buffer overflow. When stream->offset or the size parameter is large, the calculation of needed size can overflow, causing an incorrect buffer allocation. This misallocation can result in a buffer overflow during memory copy operations.

Impact

Exploitation of this vulnerability can lead to a buffer overflow, which may allow for arbitrary code execution or cause a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced by calling the makeRoom function with a large size parameter or a stream offset that, when added to the size, exceeds the maximum value for a size_t. This will cause an integer overflow, leading to an incorrect calculation of the needed size for the buffer, and ultimately a buffer overflow when the data is copied.

Remediation

Users can upgrade to libavif version 1.3.0 or later, where this vulnerability has been fixed.