Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-49460: AddressSanitizer: SEGV in `decode_uncompressed_image` · Issue #1046 · strukturag/libheif

libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::decode_uncompressed_image.

CVE
#ubuntu#linux#c++#chrome

Description

AddressSanitizer: SEGV in decode_uncompressed_image

Version

commit: 64ece913266609789f5dc70fe7de9eb759badd7f

heif-convert  libheif version: 1.17.5
-------------------------------------------
Usage: heif-convert [options]  <input-image> [output-image]

The program determines the output file format from the output filename suffix.
These suffixes are recognized: jpg, jpeg, png, y4m. If no output filename is specified, 'jpg' is used.

Options:
  -h, --help                     show help
  -v, --version                  show version
  -q, --quality                  quality (for JPEG output)
  -o, --output FILENAME          write output to FILENAME (optional)
  -d, --decoder ID               use a specific decoder (see --list-decoders)
      --with-aux                 also write auxiliary images (e.g. depth images)
      --with-xmp                 write XMP metadata to file (output filename with .xmp suffix)
      --with-exif                write EXIF metadata to file (output filename with .exif suffix)
      --skip-exif-offset         skip EXIF metadata offset bytes
      --no-colons                replace ':' characters in auxiliary image filenames with '_'
      --list-decoders            list all available decoders (built-in and plugins)
      --quiet                    do not output status messages to console
  -C, --chroma-upsampling ALGO   Force chroma upsampling algorithm (nn = nearest-neighbor / bilinear)
      --png-compression-level #  Set to integer between 0 (fastest) and 9 (best). Use -1 for default.

Replay

cd libheif
mkdir build && cd build
CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake -DCMAKE_BUILD_TYPE=Debug -DWITH_UNCOMPRESSED_CODEC=ON ..
make -j
./examples/heif-convert ./poc test.png

ASAN

==89344==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f955d086aeb bp 0x7ffdd923ebb0 sp 0x7ffdd923e318 T0)
==89344==The signal is caused by a READ memory access.
==89344==Hint: address points to the zero page.
    #0 0x7f955d086aea in memcpy (/lib/x86_64-linux-gnu/libc.so.6+0xbbaea)
    #1 0x7f955d85f4de  (/lib/x86_64-linux-gnu/libasan.so.4+0x7a4de)
    #2 0x7f955d6f8495 in UncompressedImageCodec::decode_uncompressed_image(std::shared_ptr<HeifFile const> const&, unsigned int, std::shared_ptr<HeifPixelImage>&, unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> > const&) libheif/libheif/uncompressed_image.cc:758
    #3 0x7f955d5b7304 in HeifContext::decode_image_planar(unsigned int, std::shared_ptr<HeifPixelImage>&, heif_colorspace, heif_decoding_options const&, bool) const libheif/libheif/context.cc:1452
    #4 0x7f955d5b42a8 in HeifContext::decode_image_user(unsigned int, std::shared_ptr<HeifPixelImage>&, heif_colorspace, heif_chroma, heif_decoding_options const&) const libheif/libheif/context.cc:1248
    #5 0x7f955d5771f4 in heif_decode_image libheif/libheif/heif.cc:1044
    #6 0x55e9351aca11 in main libheif/examples/heif_convert.cc:484
    #7 0x7f955cfef082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #8 0x55e9351a7add in _start (libheif/build/examples/heif-convert+0xbadd)

POC

  • poc

Environment

Description:    Ubuntu 22.04.2 LTS
gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0

Credit

Yuchuan Meng (Fudan University)

Related news

Ubuntu Security Notice USN-6847-1

Ubuntu Security Notice 6847-1 - It was discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. Reza Mirzazade Farkhani discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907