strukturag libheif Out-of-Bounds Read Vulnerability in Track Loading Function

A vulnerability exists in strukturag libheif versions through 1.21.2, specifically in the Track::load function within the stsz/stts component. This vulnerability allows a crafted file to declare more samples in the stsz/stts boxes than are actually covered by the stsc box. The inconsistency is not properly validated during the track loading process, which can lead to an out-of-bounds read error. This issue is exploitable locally and has been demonstrated with a public proof-of-concept.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow, where the application reads data beyond the allocated memory buffer. This type of out-of-bounds read can lead to memory corruption, potentially allowing for arbitrary code execution or causing a crash, creating a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using the 'heif-dec' command-line tool included with libheif. After crafting a HEIF file that exploits the vulnerability by having the stsz/stts sample count exceed the stsc coverage, this file can be decoded with 'heif-dec'. The AddressSanitizer will report a heap-buffer-overflow error, indicating that the out-of-bounds read occurred.

Remediation

A patch for this vulnerability has been created but is unofficial and not yet approved. It is recommended to apply this patch once it is officially released.