libheif Heap Buffer Over-Read Vulnerability in Overlay Compositing

A heap buffer over-read vulnerability has been identified in libheif, a library for encoding and decoding HEIF and AVIF file formats. This vulnerability exists in versions through 1.21.2, within the HeifPixelImage::overlay() function in libheif/pixelimage.cc. The issue arises when an overlay image ('iovl') is composited, and its alpha channel bit depth differs from that of the color channels. The function incorrectly uses the color channel stride to access the alpha plane, leading to out-of-bounds reads of up to 3,123 bytes for certain image sizes and bit depths. This flaw can cause a crash or potentially disclose adjacent heap memory through leaked bytes in the decoded output pixels.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition by causing a crash, or it can result in unauthorized information disclosure by leaking adjacent heap memory into the decoded output pixels.

Reproduction

The vulnerability can be reproduced by creating a HEIF file with an overlay image that has a different alpha channel bit depth than the color channels. This can be done using the libheif library by encoding an image with 10-bit RGB channels and 8-bit alpha, then adding an overlay that triggers the incorrect stride calculation. When this crafted file is decoded, the out-of-bounds read occurs, which can be verified by building libheif with AddressSanitizer enabled, allowing the memory corruption to be detected.

Remediation

Users can upgrade to libheif version 1.22.0, where this vulnerability has been fixed.