Headline
CVE-2023-49460: AddressSanitizer: SEGV in `decode_uncompressed_image` · Issue #1046 · strukturag/libheif
libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::decode_uncompressed_image.
Description
AddressSanitizer: SEGV in decode_uncompressed_image
Version
commit: 64ece913266609789f5dc70fe7de9eb759badd7f
heif-convert libheif version: 1.17.5
-------------------------------------------
Usage: heif-convert [options] <input-image> [output-image]
The program determines the output file format from the output filename suffix.
These suffixes are recognized: jpg, jpeg, png, y4m. If no output filename is specified, 'jpg' is used.
Options:
-h, --help show help
-v, --version show version
-q, --quality quality (for JPEG output)
-o, --output FILENAME write output to FILENAME (optional)
-d, --decoder ID use a specific decoder (see --list-decoders)
--with-aux also write auxiliary images (e.g. depth images)
--with-xmp write XMP metadata to file (output filename with .xmp suffix)
--with-exif write EXIF metadata to file (output filename with .exif suffix)
--skip-exif-offset skip EXIF metadata offset bytes
--no-colons replace ':' characters in auxiliary image filenames with '_'
--list-decoders list all available decoders (built-in and plugins)
--quiet do not output status messages to console
-C, --chroma-upsampling ALGO Force chroma upsampling algorithm (nn = nearest-neighbor / bilinear)
--png-compression-level # Set to integer between 0 (fastest) and 9 (best). Use -1 for default.
Replay
cd libheif
mkdir build && cd build
CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake -DCMAKE_BUILD_TYPE=Debug -DWITH_UNCOMPRESSED_CODEC=ON ..
make -j
./examples/heif-convert ./poc test.png
ASAN
==89344==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f955d086aeb bp 0x7ffdd923ebb0 sp 0x7ffdd923e318 T0)
==89344==The signal is caused by a READ memory access.
==89344==Hint: address points to the zero page.
#0 0x7f955d086aea in memcpy (/lib/x86_64-linux-gnu/libc.so.6+0xbbaea)
#1 0x7f955d85f4de (/lib/x86_64-linux-gnu/libasan.so.4+0x7a4de)
#2 0x7f955d6f8495 in UncompressedImageCodec::decode_uncompressed_image(std::shared_ptr<HeifFile const> const&, unsigned int, std::shared_ptr<HeifPixelImage>&, unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> > const&) libheif/libheif/uncompressed_image.cc:758
#3 0x7f955d5b7304 in HeifContext::decode_image_planar(unsigned int, std::shared_ptr<HeifPixelImage>&, heif_colorspace, heif_decoding_options const&, bool) const libheif/libheif/context.cc:1452
#4 0x7f955d5b42a8 in HeifContext::decode_image_user(unsigned int, std::shared_ptr<HeifPixelImage>&, heif_colorspace, heif_chroma, heif_decoding_options const&) const libheif/libheif/context.cc:1248
#5 0x7f955d5771f4 in heif_decode_image libheif/libheif/heif.cc:1044
#6 0x55e9351aca11 in main libheif/examples/heif_convert.cc:484
#7 0x7f955cfef082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#8 0x55e9351a7add in _start (libheif/build/examples/heif-convert+0xbadd)
POC
- poc
Environment
Description: Ubuntu 22.04.2 LTS
gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
Credit
Yuchuan Meng (Fudan University)
Related news
Ubuntu Security Notice USN-6847-1
Ubuntu Security Notice 6847-1 - It was discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. Reza Mirzazade Farkhani discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS.