libheif HEIF and AVIF File Format Library Denial-of-Service Vulnerability via Crafted HEIF Sequence Files

A denial-of-service vulnerability has been identified in libheif, a library for decoding and encoding HEIF and AVIF file formats. This issue affects versions through 1.21.2. The vulnerability arises when a specially crafted 792-byte HEIF sequence file is processed. The file contains a 'samples_per_chunk' value of 0 in the 'stsc' box, which leads to an unsigned integer underflow in the Chunk constructor. This underflow maps all samples to an empty chunk. When any sample is accessed, the library attempts to read from the first index of an empty vector, resulting in a segmentation fault due to a null-page read. The file is parsed successfully without errors, and the crash occurs upon the first frame access, making this a reliable denial-of-service vector.

Impact

Exploitation of this vulnerability causes an immediate and deterministic process crash due to a segmentation fault, as the library tries to read sample data from an empty vector.

Reproduction

The vulnerability can be reproduced by creating a valid two-frame HEIF sequence file using the libheif API, then patching the 'stsc' box to set 'samples_per_chunk' to 0. This modified file, when opened, will parse without error but will cause a segmentation fault on the first sample access.

Remediation

Users should update to libheif version 1.22.0 or later, where this vulnerability has been fixed.