Headline
CVE-2023-49462: SEGV libheif/libheif/exif.cc:55 in read16 · Issue #1043 · strukturag/libheif
libheif v1.17.5 was discovered to contain a segmentation violation via the component /libheif/exif.cc.
Description
SEGV libheif/libheif/exif.cc:55 in read16
Version
heif-convert libheif version: 1.17.5
-------------------------------------------
Usage: heif-convert [options] <input-image> [output-image]
The program determines the output file format from the output filename suffix.
These suffixes are recognized: jpg, jpeg, png, y4m. If no output filename is specified, 'jpg' is used.
Options:
-h, --help show help
-v, --version show version
-q, --quality quality (for JPEG output)
-o, --output FILENAME write output to FILENAME (optional)
-d, --decoder ID use a specific decoder (see --list-decoders)
--with-aux also write auxiliary images (e.g. depth images)
--with-xmp write XMP metadata to file (output filename with .xmp suffix)
--with-exif write EXIF metadata to file (output filename with .exif suffix)
--skip-exif-offset skip EXIF metadata offset bytes
--no-colons replace ':' characters in auxiliary image filenames with '_'
--list-decoders list all available decoders (built-in and plugins)
--quiet do not output status messages to console
-C, --chroma-upsampling ALGO Force chroma upsampling algorithm (nn = nearest-neighbor / bilinear)
--png-compression-level # Set to integer between 0 (fastest) and 9 (best). Use -1 for default.
Replay
cd libheif
mkdir build && cd build
CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake --preset=release ..
make -j
./examples/heif-convert ./poc test.png
ASAN
==1926429==ERROR: AddressSanitizer: SEGV on unknown address 0x60b080000729 (pc 0x55abe2b1012c bp 0x000000000000 sp 0x7ffe0b2df5a0 T0)
==1926429==The signal is caused by a READ memory access.
#0 0x55abe2b1012c in read16 /eva/put/libheif/libheif/exif.cc:55
#1 0x55abe2b1012c in find_exif_tag /eva/put/libheif/libheif/exif.cc:103
#2 0x55abe2b1136b in modify_exif_tag_if_it_exists(unsigned char*, int, unsigned short, unsigned short) /eva/put/libheif/libheif/exif.cc:124
#3 0x55abe2b1136b in modify_exif_orientation_tag_if_it_exists(unsigned char*, int, unsigned short) /eva/put/libheif/libheif/exif.cc:140
#4 0x55abe2b16c75 in PngEncoder::Encode(heif_image_handle const*, heif_image const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /eva/put/libheif/examples/encoder_png.cc:126
#5 0x55abe2b00c99 in main /eva/put/libheif/examples/heif_convert.cc:509
#6 0x7fb15dc29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7fb15dc29e3f in __libc_start_main_impl ../csu/libc-start.c:392
#8 0x55abe2b09254 in _start (/eva/asan-bin/NestFuzz/libheif/heif-convert+0x15254)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /eva/put/libheif/libheif/exif.cc:55 in read16
==1926429==ABORTING
POC
poc
Environment
Description: Ubuntu 22.04.2 LTS
gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
Credit
Yuchuan Meng (Fudan University)
Related news
Debian Linux Security Advisory 5796-1 - Multiple security issues were found in libheif, a library to parse HEIF and AVIF files, which could result in denial of service or potentially the execution of arbitrary code.
Ubuntu Security Notice 6847-1 - It was discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. Reza Mirzazade Farkhani discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS.