strukturag libheif Out-of-Bounds Read Vulnerability in HEIF File Parser

A vulnerability allowing out-of-bounds read has been identified in strukturag libheif versions through 1.21.2. This issue arises in the HEIF file parser component, specifically within the vvdec_push_data2 function of the decoder_vvdec.cc file. The vulnerability is caused by the function improperly validating the size of NAL units before processing them, which can lead to reading data beyond the intended buffer. The issue must be exploited locally, and a public proof-of-concept is available.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by crafting a HEIF file that includes a NAL unit with a declared size that exceeds the actual available data. This can be done using the public proof-of-concept available on GitHub.

Remediation

Users are advised to update to version 1.21.3 or later, where this vulnerability has been fixed.