Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-49463: SEGV libheif/libheif/exif.cc:88 in find_exif_tag · Issue #1042 · strukturag/libheif

libheif v1.17.5 was discovered to contain a segmentation violation via the function find_exif_tag at /libheif/exif.cc.

CVE
#ubuntu#c++#chrome

Description

SEGV libheif/libheif/exif.cc:88 in find_exif_tag

Version

 heif-convert  libheif version: 1.17.5
-------------------------------------------
Usage: heif-convert [options]  <input-image> [output-image]

The program determines the output file format from the output filename suffix.
These suffixes are recognized: jpg, jpeg, png, y4m. If no output filename is specified, 'jpg' is used.

Options:
  -h, --help                     show help
  -v, --version                  show version
  -q, --quality                  quality (for JPEG output)
  -o, --output FILENAME          write output to FILENAME (optional)
  -d, --decoder ID               use a specific decoder (see --list-decoders)
      --with-aux                 also write auxiliary images (e.g. depth images)
      --with-xmp                 write XMP metadata to file (output filename with .xmp suffix)
      --with-exif                write EXIF metadata to file (output filename with .exif suffix)
      --skip-exif-offset         skip EXIF metadata offset bytes
      --no-colons                replace ':' characters in auxiliary image filenames with '_'
      --list-decoders            list all available decoders (built-in and plugins)
      --quiet                    do not output status messages to console
  -C, --chroma-upsampling ALGO   Force chroma upsampling algorithm (nn = nearest-neighbor / bilinear)
      --png-compression-level #  Set to integer between 0 (fastest) and 9 (best). Use -1 for default.

Replay

cd libheif
mkdir build && cd build
CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake --preset=release ..
make -j
./examples/heif-convert ./poc test.png

ASAN

=================================================================
==216883==ERROR: AddressSanitizer: SEGV on unknown address 0x60b0b184d2bc (pc 0x55f4628c3ca8 bp 0x00004e7b34c8 sp 0x7ffe414d49b0 T0)
==216883==The signal is caused by a READ memory access.
    #0 0x55f4628c3ca8 in find_exif_tag eva/put/libheif/libheif/exif.cc:88
    #1 0x55f4628c536b in modify_exif_tag_if_it_exists(unsigned char*, int, unsigned short, unsigned short) eva/put/libheif/libheif/exif.cc:124
    #2 0x55f4628c536b in modify_exif_orientation_tag_if_it_exists(unsigned char*, int, unsigned short) eva/put/libheif/libheif/exif.cc:140
    #3 0x55f4628cac75 in PngEncoder::Encode(heif_image_handle const*, heif_image const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) eva/put/libheif/examples/encoder_png.cc:126
    #4 0x55f4628b4c99 in main eva/put/libheif/examples/heif_convert.cc:509
    #5 0x7fb342a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #6 0x7fb342a29e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #7 0x55f4628bd254 in _start (eva/put/libheif/build/examples/heif-convert+0x15254)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV eva/put/libheif/libheif/exif.cc:88 in find_exif_tag
==216883==ABORTING

POC

poc

Environment

Description:    Ubuntu 22.04.2 LTS
gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0

Credit

Yuchuan Meng (Fudan University)

Related news

Ubuntu Security Notice USN-6847-1

Ubuntu Security Notice 6847-1 - It was discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. Reza Mirzazade Farkhani discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907