libheif Denial-of-Service Vulnerability via Infinite Loop in Sample Duration Lookup

A denial-of-service vulnerability has been identified in libheif versions through 1.21.2. The issue arises when a crafted 800-byte HEIF sequence file is processed, causing an infinite loop in the 'Box_stts::get_sample_duration()' function. This loop consumes 100% of the CPU without any progress, lacks an iteration limit or timeout, and is triggered during the file parsing phase—before any user interaction or image decoding occurs. As a result, the process remains active without crashing or logging an error, making the issue undetectable by standard crash-based monitoring methods.

Impact

Exploitation of this vulnerability leads to an infinite loop, causing a denial-of-service condition where the process consumes 100% CPU indefinitely with no progress, no crash, and no error logged.

Reproduction

The vulnerability can be reproduced by creating a valid two-frame HEIF sequence file using the libheif API, then injecting a 'sample_count=0' entry into the 'stts' (sample-to-time) box. This crafted file, when opened with libheif, causes the library to hang in the 'get_sample_duration()' function, confirming the denial-of-service condition.

Remediation

Users can upgrade to libheif version 1.22.0 or later, where this vulnerability has been fixed.