Full Disclosure mailing list archives

An integer overflow vulnerability exists in the Y4M input loader (loadY4M
in decoder_y4m.cc) of libheif. The loader fails to properly validate the
width and height values declared in the Y4M file header. Supplying a
crafted .y4m file with extremely large dimensions (e.g., W2147483647
H2147483647) causes integer overflow during buffer size calculations. This
results in uncontrolled memory allocation requests that exceed supported
limits. Depending on the build and allocator behavior, this may cause a
denial of service (application crash or out-of-memory) or heap buffer
overflow leading to potential memory corruption.

*Impact*

   -

   *Denial of Service (DoS):* Application crash or OOM when parsing
   malicious Y4M.
   -

   *Potential Memory Corruption:* If allocation wraps around to a smaller
   buffer, subsequent writes may overrun heap memory, possibly leading to
   arbitrary code execution under certain conditions.


*Proof of Concept:*Run through a libheif build with Y4M enabled (e.g.,
heif-enc or a harness linked against decoder_y4m.cc), AddressSanitizer
reports:

ERROR: AddressSanitizer: requested allocation size 0x400000000000000f ...
SUMMARY: AddressSanitizer: allocation-size-too-big in
HeifPixelImage::ImagePlane::alloc
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• libheif v1.21.0 Integer Overflow in Y4M Loader leading to Uncontrolled Memory Allocation Ron E (Sep 08)