CVE-2023-29659: FPE in box.cc - heif::Fraction::round() · Issue #794 · strukturag/libheif

Tested version:
libheif-1.15.1

Description of the bug:
Floating point exception is triggered when processing a crafted heif image, caused by divide by zero error, which leads to a crash.
This can be used for denial of service attacks.

Steps to reproduce the bug:
Compile with Address Sanitizer (ASan) :
./fuzzer ./poc.heif

Address Sanitizer log:

min@skensita:~/heif/fuzzer$ ./fuzzer dbg/classifiedCrashes/7e74fe547c83f1da6453572ddfe6832d1da6109c
AddressSanitizer:DEADLYSIGNAL
=================================================================
==8030==ERROR: AddressSanitizer: FPE on unknown address 0x55722e2d29ed (pc 0x55722e2d29ed bp 0x7ffebc2cd170 sp 0x7ffebc2cd160 T0)
    #0 0x55722e2d29ec in heif::Fraction::round() const (/home/min/heif/fuzzer/fuzzer+0x1189ec)
    #1 0x55722e2f32da in heif::Box_clap::bottom_rounded(int) const (/home/min/heif/fuzzer/fuzzer+0x1392da)
    #2 0x55722e22568c in heif::HeifContext::decode_image_planar(unsigned int, std::shared_ptr<heif::HeifPixelImage>&, heif_colorspace, heif_decoding_options const*, bool) const (/home/min/heif/fuzzer/fuzzer+0x6b68c)
    #3 0x55722e222609 in heif::HeifContext::decode_image_user(unsigned int, std::shared_ptr<heif::HeifPixelImage>&, heif_colorspace, heif_chroma, heif_decoding_options const*) const (/home/min/heif/fuzzer/fuzzer+0x68609)
    #4 0x55722e1dd8dc in heif_decode_image (/home/min/heif/fuzzer/fuzzer+0x238dc)
    #5 0x55722e1d46fa in TestDecodeImage(heif_context*, heif_image_handle const*) (/home/min/heif/fuzzer/fuzzer+0x1a6fa)
    #6 0x55722e1d4c4c in main (/home/min/heif/fuzzer/fuzzer+0x1ac4c)
    #7 0x7fed2bb83082 in __libc_start_main ../csu/libc-start.c:308
    #8 0x55722e1d42bd in _start (/home/min/heif/fuzzer/fuzzer+0x1a2bd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE (/home/min/heif/fuzzer/fuzzer+0x1189ec) in heif::Fraction::round() const
==8030==ABORTING

Please check the attached POC.

POC.zip