libheif Uninitialized Heap Memory Information Leak Vulnerability in HEIF/AVIF Grid Image Decoding

A vulnerability exists in libheif versions through 1.21.2, allowing an uninitialized heap memory information leak when decoding HEIF grid images. The issue arises with the default setting of strict_decoding=false, where a corrupted tile fails to decode properly. Instead of signaling an error, the library returns heif_error_Ok, leaving the failed tile's region in the canvas filled with uninitialized data from the heap. This leaked data, amounting to over 4,096 bytes per color plane, is delivered to the caller as pixel values. In server-side image processing, this can result in the unintended exposure of sensitive cross-user data, such as authentication tokens and other users' image information, especially when the decoded image is re-encoded and shared through channels like social media or CDNs.

Impact

The vulnerability allows any application using libheif to decode grid-based HEIF or AVIF files with the default settings to unintentionally leak uninitialized heap memory as image data. This can lead to the exposure of sensitive information, such as authentication tokens and other users' image data, particularly in server-side processing scenarios where the leaked information is serialized and transmitted back to the user.

Reproduction

The vulnerability can be reproduced by crafting a HEIF grid image that includes a corrupted tile, which is then decoded using libheif's default options. The decoding process will return a success status while the corrupted tile's region in the image canvas will contain uninitialized heap data. This leaked data can be verified by comparing the decoded output with the expected pixel values or by using tools like MemorySanitizer to detect the presence of uninitialized memory.

Remediation

Users can upgrade to libheif version 1.22.0 or later, where this vulnerability has been fixed.