libheif Heap Buffer Over-Read Vulnerability in Overlay Image Handling

A heap buffer over-read vulnerability has been identified in libheif, a library for encoding and decoding HEIF and AVIF file formats. This issue affects versions through 1.20.2. The vulnerability arises in the HeifPixelImage::overlay() function, where a crafted HEIF file that utilizes the overlay image item path can trigger the flaw. The function calculates a negative row length, likely due to an improperly clipped overlay rectangle or invalid offsets. This negative value underflows when converted to size_t and is passed to memcpy, resulting in a large read past the end of the source plane and causing a crash. Additionally, this over-read could potentially lead to information disclosure by copying adjacent heap data into the destination image buffer, depending on the memory allocator and layout.

Impact

Exploitation of this vulnerability causes a crash, leading to a denial-of-service condition. However, it also allows for a heap buffer over-read, which could result in information disclosure by copying adjacent heap data into the destination image buffer.

Reproduction

The vulnerability can be reproduced using the libFuzzer tool with AddressSanitizer enabled. The fuzzer should be directed to decode a HEIF image that includes an overlay item, which will trigger the buffer over-read in the HeifPixelImage::overlay() function. This can be done by using the 'file_fuzzer' target, which will follow the necessary function calls to reach the vulnerable overlay handling code.

Remediation

Users can upgrade to libheif version 1.21.0, which includes a patch for this vulnerability. Instructions for downloading this version are available on the libheif GitHub releases page.