libtheora AVI Parser Heap-Based Out-of-Bounds Read Vulnerability

A heap-based out-of-bounds read vulnerability has been identified in libtheora, specifically within the AVI parser's avi_parse_input_file() function. This vulnerability arises when the parser processes a malformed AVI file containing a truncated header sub-chunk, lacking proper length validation before executing fixed-offset memory copy operations. A local attacker could exploit this flaw by persuading a user to open the crafted AVI file, potentially leading to a denial-of-service condition by causing the application to crash, or allowing sensitive information to be leaked from the heap.

Impact

Exploitation of this vulnerability causes a heap-based out-of-bounds read, resulting in a segmentation fault or application crash. Additionally, it may lead to unauthorized information disclosure from the heap, such as cryptographic keys or personal identifiable information.

Reproduction

The vulnerability can be reproduced by compiling a proof-of-concept program with AddressSanitizer enabled, which demonstrates the heap-buffer-over-read when the AVI parser processes a truncated header in a crafted AVI file.

Remediation

Users are advised to avoid opening untrusted AVI files and to exercise caution with AVI files from unknown or suspicious sources.