
Full Disclosure mailing list archives
libheif 1.21.0 Use-After-Free / Dangling shared_ptr in Track Chunk Handling
From: Ron E <ronaldjedgerson () gmail com>
Date: Sat, 23 Aug 2025 10:15:34 -0400
The Track::init_sample_timing_table logic manages a std::vector<std::shared_ptr<Chunk>> representing parsed sequence chunks. With malformed HEIF sequence files, corrupted chunk tables may cause premature destruction of Chunk objects while references remain in the vector. Later accesses via std::__shared_ptr<Chunk>::get() return a dangling pointer. ASan reports these as heap-buffer-overflows because the stale pointer still points into heap memory. In reality, the vulnerability is caused by dangling shared_ptr state, i.e., a use-after-free on the Chunk object. *Root Cause:* - Improper lifetime management of Chunk objects when parsing corrupted sequence metadata. - No validation that chunk indices map to live objects before dereferencing. *Attack Surface:* Triggered when a crafted HEIF sequence provides inconsistent or truncated chunk layout metadata (stsc / stco / stsz). *Impact:* - Use-after-free allows reads from freed memory and potentially controlled reuse of memory. - Possible heap information disclosure or corruption. - Exploitable in contexts with predictable allocator behavior → may allow arbitrary code execution. *Evidence:*==3420210==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000000540 READ of size 8 #0 std::__shared_ptr<Chunk>::get() const .../shared_ptr_base.h:1667 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- libheif 1.21.0 Use-After-Free / Dangling shared_ptr in Track Chunk Handling Ron E (Sep 08)