libheif v1.21.0 Heap Buffer Overflow in Chunk::Chunk

[Ron E <ronaldjedgerson () gmail com>]

The vulnerability resides in the constructor Chunk::Chunk (
libheif/sequences/chunk.cc:89). When parsing the Sample Size Box (stsz) of
a HEIF sequence track, the code allocates a std::vector<unsigned int> and
then appends entries for each sample size. The count used for allocation
and iteration is taken directly from the bitstream (Box_stsz::parse)
without verifying consistency between declared count and available data.

When the stsz box is malformed — e.g., declaring fewer entries than
actually present, or corrupted values — the constructor reads/writes beyond
the allocated vector buffer, triggering a heap buffer overflow.

*Attack Surface:*
Any application using libheif to parse untrusted HEIF sequences (e.g.,
media servers, thumbnail generators, messaging clients) may invoke this
vulnerable code. Triggering requires only opening a malicious .heic/.heif
file with a crafted sequence track.

*Impact:*


   -

   Out-of-bounds heap read/write → corruption of adjacent allocations.
   -

   Potential arbitrary code execution if heap metadata, C++ vtables, or
   other sensitive structures are corrupted.
   -

   At minimum, denial of service via crash.

*Evidence:*

==3015612==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x503000000c30
READ of size 4
#0 Chunk::Chunk(...) libheif/sequences/chunk.cc:89
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/