libheif Heap-Buffer-Overflow Vulnerability in Grid Tile Chroma Compositing

A heap-buffer-overflow vulnerability has been identified in libheif, a library for decoding and encoding HEIF and AVIF file formats. This vulnerability exists in versions through 1.21.2 and arises during the grid tile compositing process. By crafting a HEIF or AVIF file with a 1×4 grid of odd-height tiles, an attacker can exploit this vulnerability to write 64 bytes of attacker-controlled data beyond the end of a chroma plane heap allocation. The overflow occurs during normal image decoding with the default build configuration, allowing the attacker to manipulate chroma pixel values and potentially execute arbitrary code.

Impact

Exploitation of this vulnerability leads to a heap-buffer-overflow, allowing for the writing of controlled data into adjacent memory. This heap corruption can overwrite critical data such as vtable pointers or allocator metadata, potentially leading to remote code execution through heap grooming techniques. Additionally, the memory corruption causes crashes in release builds or ASAN aborts in sanitized builds, creating a denial-of-service condition.

Reproduction

To reproduce this vulnerability, create a HEIF or AVIF file containing a grid image with YCbCr 4:2:0 chroma subsampling. The grid should include odd-height tiles, and the canvas height must be divisible by 4 to ensure the chroma height is even, bypassing certain padding mechanisms. When the crafted file is opened or decoded, the vulnerability will be triggered, causing the heap-buffer-overflow.

Remediation

Users can upgrade to libheif version 1.22.0 or later, where this vulnerability has been fixed.