
Full Disclosure mailing list archives
libheif v1.21.0 Out-of-Bounds Read in FullBox::get_flags
From: Ron E <ronaldjedgerson () gmail com>
Date: Sat, 23 Aug 2025 10:20:16 -0400
The FullBox::get_flags() method retrieves 24-bit flags from the underlying box header. When a malformed box truncates the field, the function still attempts to read three bytes. With insufficient data, this reads past valid memory into uninitialized or out-of-bounds memory. *Root Cause:* - No length validation before reading flag fields. *Impact:* - Crash due to invalid memory access. - Potential leakage of heap memory values. *Evidence:* SUMMARY: AddressSanitizer: SEGV in FullBox::get_flags() _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- libheif v1.21.0 Out-of-Bounds Read in FullBox::get_flags Ron E (Sep 08)