Headline
CVE-2023-29659: FPE in box.cc - heif::Fraction::round() · Issue #794 · strukturag/libheif
A Segmentation fault caused by a floating point exception exists in libheif 1.15.1 using crafted heif images via the heif::Fraction::round() function in box.cc, which causes a denial of service.
Tested version:
libheif-1.15.1
Description of the bug:
Floating point exception is triggered when processing a crafted heif image, caused by divide by zero error, which leads to a crash.
This can be used for denial of service attacks.
Steps to reproduce the bug:
Compile with Address Sanitizer (ASan) :
./fuzzer ./poc.heif
Address Sanitizer log:
min@skensita:~/heif/fuzzer$ ./fuzzer dbg/classifiedCrashes/7e74fe547c83f1da6453572ddfe6832d1da6109c
AddressSanitizer:DEADLYSIGNAL
=================================================================
==8030==ERROR: AddressSanitizer: FPE on unknown address 0x55722e2d29ed (pc 0x55722e2d29ed bp 0x7ffebc2cd170 sp 0x7ffebc2cd160 T0)
#0 0x55722e2d29ec in heif::Fraction::round() const (/home/min/heif/fuzzer/fuzzer+0x1189ec)
#1 0x55722e2f32da in heif::Box_clap::bottom_rounded(int) const (/home/min/heif/fuzzer/fuzzer+0x1392da)
#2 0x55722e22568c in heif::HeifContext::decode_image_planar(unsigned int, std::shared_ptr<heif::HeifPixelImage>&, heif_colorspace, heif_decoding_options const*, bool) const (/home/min/heif/fuzzer/fuzzer+0x6b68c)
#3 0x55722e222609 in heif::HeifContext::decode_image_user(unsigned int, std::shared_ptr<heif::HeifPixelImage>&, heif_colorspace, heif_chroma, heif_decoding_options const*) const (/home/min/heif/fuzzer/fuzzer+0x68609)
#4 0x55722e1dd8dc in heif_decode_image (/home/min/heif/fuzzer/fuzzer+0x238dc)
#5 0x55722e1d46fa in TestDecodeImage(heif_context*, heif_image_handle const*) (/home/min/heif/fuzzer/fuzzer+0x1a6fa)
#6 0x55722e1d4c4c in main (/home/min/heif/fuzzer/fuzzer+0x1ac4c)
#7 0x7fed2bb83082 in __libc_start_main ../csu/libc-start.c:308
#8 0x55722e1d42bd in _start (/home/min/heif/fuzzer/fuzzer+0x1a2bd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE (/home/min/heif/fuzzer/fuzzer+0x1189ec) in heif::Fraction::round() const
==8030==ABORTING
Please check the attached POC.
POC.zip
Related news
Debian Linux Security Advisory 5796-1 - Multiple security issues were found in libheif, a library to parse HEIF and AVIF files, which could result in denial of service or potentially the execution of arbitrary code.
Ubuntu Security Notice 6847-1 - It was discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. Reza Mirzazade Farkhani discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS.