libheif Heap Buffer Over-Read Vulnerability in SampleAuxInfoReader Constructor

A heap buffer over-read vulnerability has been identified in libheif, a library for decoding and encoding HEIF and AVIF file formats. This vulnerability exists in versions through 1.21.2. The issue arises when a crafted HEIF sequence file is processed, specifically one where the 'saiz' box indicates more samples than are actually present in the track's chunk table. The 'SampleAuxInfoReader' constructor, which reads the 'saiz' sample count, fails to validate this count against the actual number of chunks. As a result, the vulnerability allows for an out-of-bounds read on the chunks vector, potentially leading to information disclosure and a crash. The vulnerability is triggered during file parsing by the 'heif_context_read_from_file' function, without any additional user interaction.

Impact

Exploitation of this vulnerability causes a heap buffer over-read, leading to a crash and potential information disclosure.

Reproduction

The vulnerability can be reproduced by creating a crafted HEIF sequence file that includes a 'saiz' box declaring an inflated sample count. This file can be processed using libheif, built with AddressSanitizer and the 'DNDEBUG' flag disabled, which allows the out-of-bounds access to occur. The AddressSanitizer will report a heap-buffer-overflow error, indicating the vulnerability has been successfully exploited.

Remediation

Users can upgrade to libheif version 1.22.0 or later, where this vulnerability has been fixed.