Headline
CVE-2023-49463: SEGV libheif/libheif/exif.cc:88 in find_exif_tag · Issue #1042 · strukturag/libheif
libheif v1.17.5 was discovered to contain a segmentation violation via the function find_exif_tag at /libheif/exif.cc.
Description
SEGV libheif/libheif/exif.cc:88 in find_exif_tag
Version
heif-convert libheif version: 1.17.5
-------------------------------------------
Usage: heif-convert [options] <input-image> [output-image]
The program determines the output file format from the output filename suffix.
These suffixes are recognized: jpg, jpeg, png, y4m. If no output filename is specified, 'jpg' is used.
Options:
-h, --help show help
-v, --version show version
-q, --quality quality (for JPEG output)
-o, --output FILENAME write output to FILENAME (optional)
-d, --decoder ID use a specific decoder (see --list-decoders)
--with-aux also write auxiliary images (e.g. depth images)
--with-xmp write XMP metadata to file (output filename with .xmp suffix)
--with-exif write EXIF metadata to file (output filename with .exif suffix)
--skip-exif-offset skip EXIF metadata offset bytes
--no-colons replace ':' characters in auxiliary image filenames with '_'
--list-decoders list all available decoders (built-in and plugins)
--quiet do not output status messages to console
-C, --chroma-upsampling ALGO Force chroma upsampling algorithm (nn = nearest-neighbor / bilinear)
--png-compression-level # Set to integer between 0 (fastest) and 9 (best). Use -1 for default.
Replay
cd libheif
mkdir build && cd build
CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake --preset=release ..
make -j
./examples/heif-convert ./poc test.png
ASAN
=================================================================
==216883==ERROR: AddressSanitizer: SEGV on unknown address 0x60b0b184d2bc (pc 0x55f4628c3ca8 bp 0x00004e7b34c8 sp 0x7ffe414d49b0 T0)
==216883==The signal is caused by a READ memory access.
#0 0x55f4628c3ca8 in find_exif_tag eva/put/libheif/libheif/exif.cc:88
#1 0x55f4628c536b in modify_exif_tag_if_it_exists(unsigned char*, int, unsigned short, unsigned short) eva/put/libheif/libheif/exif.cc:124
#2 0x55f4628c536b in modify_exif_orientation_tag_if_it_exists(unsigned char*, int, unsigned short) eva/put/libheif/libheif/exif.cc:140
#3 0x55f4628cac75 in PngEncoder::Encode(heif_image_handle const*, heif_image const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) eva/put/libheif/examples/encoder_png.cc:126
#4 0x55f4628b4c99 in main eva/put/libheif/examples/heif_convert.cc:509
#5 0x7fb342a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x7fb342a29e3f in __libc_start_main_impl ../csu/libc-start.c:392
#7 0x55f4628bd254 in _start (eva/put/libheif/build/examples/heif-convert+0x15254)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV eva/put/libheif/libheif/exif.cc:88 in find_exif_tag
==216883==ABORTING
POC
poc
Environment
Description: Ubuntu 22.04.2 LTS
gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
Credit
Yuchuan Meng (Fudan University)
Related news
Ubuntu Security Notice USN-6847-1
Ubuntu Security Notice 6847-1 - It was discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. Reza Mirzazade Farkhani discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS.