libheif Heap Buffer Overflow Vulnerability in Mask Image Decoding

A heap buffer overflow vulnerability has been identified in libheif versions through 1.21.2, specifically within the MaskImageCodec::decode_mask_image() function. This vulnerability arises when the decoder processes a HEIF file containing a mask image (mski). The issue occurs because the function uses memcpy to transfer data from the iloc extent into a pixel buffer, without proper validation of the data length. The iloc extent, which is controlled by the attacker, can be manipulated to exceed the allocated buffer size, leading to a heap overflow. The vulnerability is triggered when the mskC property indicates 8 bits per pixel, and the ispe property specifies an even width of 64 or more, allowing the iloc extent to overflow the buffer allocation.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to heap corruption. This corruption is typically exploited to execute arbitrary code under certain conditions.

Reproduction

The vulnerability can be reproduced by creating a HEIF file that includes a mask image item. The file must be crafted so that the iloc extent length for the mask item exceeds the allocated pixel buffer size. This can be achieved by setting the ispe property width to an even value of 64 or greater, and ensuring the mskC property specifies 8 bits per pixel. When the file is processed by libheif, the overflow occurs as the decoder copies the iloc data into the pixel buffer without proper length validation.

Remediation

Users can upgrade to libheif version 1.22.0 or later, where this vulnerability has been fixed.