Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-29659: FPE in box.cc - heif::Fraction::round() · Issue #794 · strukturag/libheif

A Segmentation fault caused by a floating point exception exists in libheif 1.15.1 using crafted heif images via the heif::Fraction::round() function in box.cc, which causes a denial of service.

CVE
#dos#chrome

Tested version:
libheif-1.15.1

Description of the bug:
Floating point exception is triggered when processing a crafted heif image, caused by divide by zero error, which leads to a crash.
This can be used for denial of service attacks.

Steps to reproduce the bug:
Compile with Address Sanitizer (ASan) :
./fuzzer ./poc.heif

Address Sanitizer log:

min@skensita:~/heif/fuzzer$ ./fuzzer dbg/classifiedCrashes/7e74fe547c83f1da6453572ddfe6832d1da6109c
AddressSanitizer:DEADLYSIGNAL
=================================================================
==8030==ERROR: AddressSanitizer: FPE on unknown address 0x55722e2d29ed (pc 0x55722e2d29ed bp 0x7ffebc2cd170 sp 0x7ffebc2cd160 T0)
    #0 0x55722e2d29ec in heif::Fraction::round() const (/home/min/heif/fuzzer/fuzzer+0x1189ec)
    #1 0x55722e2f32da in heif::Box_clap::bottom_rounded(int) const (/home/min/heif/fuzzer/fuzzer+0x1392da)
    #2 0x55722e22568c in heif::HeifContext::decode_image_planar(unsigned int, std::shared_ptr<heif::HeifPixelImage>&, heif_colorspace, heif_decoding_options const*, bool) const (/home/min/heif/fuzzer/fuzzer+0x6b68c)
    #3 0x55722e222609 in heif::HeifContext::decode_image_user(unsigned int, std::shared_ptr<heif::HeifPixelImage>&, heif_colorspace, heif_chroma, heif_decoding_options const*) const (/home/min/heif/fuzzer/fuzzer+0x68609)
    #4 0x55722e1dd8dc in heif_decode_image (/home/min/heif/fuzzer/fuzzer+0x238dc)
    #5 0x55722e1d46fa in TestDecodeImage(heif_context*, heif_image_handle const*) (/home/min/heif/fuzzer/fuzzer+0x1a6fa)
    #6 0x55722e1d4c4c in main (/home/min/heif/fuzzer/fuzzer+0x1ac4c)
    #7 0x7fed2bb83082 in __libc_start_main ../csu/libc-start.c:308
    #8 0x55722e1d42bd in _start (/home/min/heif/fuzzer/fuzzer+0x1a2bd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE (/home/min/heif/fuzzer/fuzzer+0x1189ec) in heif::Fraction::round() const
==8030==ABORTING

Please check the attached POC.

POC.zip

Related news

Debian Security Advisory 5796-1

Debian Linux Security Advisory 5796-1 - Multiple security issues were found in libheif, a library to parse HEIF and AVIF files, which could result in denial of service or potentially the execution of arbitrary code.

Ubuntu Security Notice USN-6847-1

Ubuntu Security Notice 6847-1 - It was discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. Reza Mirzazade Farkhani discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907