libavif Integer Overflow Vulnerability in RGB to YUV Reformatting Function

A vulnerability has been identified in libavif versions prior to 1.3.0, specifically within the 'avifImageRGBToYUV' function in 'reformat.c'. The issue arises from integer overflows in multiplications involving the row byte values for the RGB and YUV channels. This vulnerability could potentially be exploited by crafting an image with large dimensions, leading to memory corruption or other unintended behavior.

Impact

Exploitation of this vulnerability causes integer overflows, which can lead to memory corruption. Such memory corruption vulnerabilities can often be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

To reproduce this vulnerability, create an AVIF image with a width and height of 65,536 pixels each, and a bit depth of 16. This can be done using a simple C program that includes the 'libavif' library. The program should allocate an RGB buffer for the image data, ensuring that the buffer size calculation does not overflow. After allocating the buffer and initializing the image, the 'avifImageRGBToYUV' function can be called to trigger the vulnerability. The vulnerability can be detected by compiling the program with undefined integer overflow checks enabled, using the 'clang' or 'gcc' compiler.

Remediation

Users are advised to update to libavif version 1.3.0 or later, where this vulnerability has been fixed.