Full Disclosure mailing list archives

libheif 1.21.0 Use-After-Free / Dangling shared_ptr in Track Chunk Handling


From: Ron E <ronaldjedgerson () gmail com>
Date: Sat, 23 Aug 2025 10:15:34 -0400

The Track::init_sample_timing_table logic manages a
std::vector<std::shared_ptr<Chunk>> representing parsed sequence chunks.
With malformed HEIF sequence files, corrupted chunk tables may cause
premature destruction of Chunk objects while references remain in the
vector. Later accesses via std::__shared_ptr<Chunk>::get() return a
dangling pointer.

ASan reports these as heap-buffer-overflows because the stale pointer still
points into heap memory. In reality, the vulnerability is caused by
dangling shared_ptr state, i.e., a use-after-free on the Chunk object.

*Root Cause:*

   -

   Improper lifetime management of Chunk objects when parsing corrupted
   sequence metadata.
   -

   No validation that chunk indices map to live objects before
   dereferencing.

*Attack Surface:*

Triggered when a crafted HEIF sequence provides inconsistent or truncated
chunk layout metadata (stsc / stco / stsz).

*Impact:*

   -

   Use-after-free allows reads from freed memory and potentially controlled
   reuse of memory.
   -

   Possible heap information disclosure or corruption.
   -

   Exploitable in contexts with predictable allocator behavior → may allow
   arbitrary code execution.



*Evidence:*==3420210==ERROR: AddressSanitizer: heap-buffer-overflow on
address 0x502000000540
READ of size 8
#0 std::__shared_ptr<Chunk>::get() const .../shared_ptr_base.h:1667
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread: