libheif Out-of-Bounds Read Vulnerability in HEIF Sequence File Parsing Leading to Denial-of-Service

A vulnerability in libheif versions through 1.21.2 allows a malformed HEIF sequence file to cause an out-of-bounds read in the core sequence parsing logic. This flaw can lead to a denial-of-service condition by crashing the application. The issue arises when a file's stco.entry_count is zero, creating no chunks, while the saio.entry_count also equals zero, allowing the file to pass validation. However, with a positive saiz.sample_count, the SampleAuxInfoReader constructor improperly processes the file, resulting in an out-of-bounds dereference on an empty chunk vector.

Impact

Exploitation of this vulnerability causes a process crash, creating a denial-of-service condition. The out-of-bounds read leads to an invalid memory access, which is typically exploited to cause a segmentation fault, crashing the application.

Reproduction

The vulnerability can be reproduced with a standalone application that uses the libheif library. This application should call the 'heif_context_read_from_file' function with a crafted HEIF file that exploits the vulnerability. The file must be constructed to have a stco entry count of zero, a matching saio entry count of zero, and a saiz sample count greater than zero. When this file is processed, the application will crash due to the out-of-bounds read.

Remediation

Users can upgrade to libheif version 1.22.0 or later, where this vulnerability has been patched.