Headline
CVE-2023-0996: CVE-2023-0996
There is a vulnerability in the strided image data parsing code in the emscripten wrapper for libheif. An attacker could exploit this through a crafted image file to cause a buffer overflow in linear memory during a memcpy call.
Buffer Overflow in heif_js_decode_image in libheif v1.14.2****CVE ID
CVE-2023-0996
Description
There is a vulnerability in the strided image data parsing code in the emscripten wrapper for libheif. An attacker could exploit this through a crafted image file to cause a buffer overflow in linear memory during a memcpy call.
Tested Versions
v1.14.2
Details
libheif is an ISO/IEC 23008-12:2017 HEIF and AVIF (AV1 Image File Format) file format decoder and encoder.
Timeline
- 2022-10-21 - Vendor Disclosure
- 2023-01-11- Vendor Patched
- 2023-02-24 - Public Release
Credit
Discovered by Eugene Lim of GovTech Singapore.
Related news
Ubuntu Security Notice 6847-1 - It was discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. Reza Mirzazade Farkhani discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS.