Full Disclosure mailing list archives

libheif v1.21.0 Null Pointer Dereference in Box_hdlr::get_handler_type


From: Ron E <ronaldjedgerson () gmail com>
Date: Sat, 23 Aug 2025 10:21:44 -0400

Box_hdlr::get_handler_type() (libheif/box.h:487) is called even when the
hdlr box has not been properly initialized due to malformed input. This
leads to dereferencing a null object pointer.

*Root Cause:*

   -

   No validation of hdlr box presence before accessing handler fields.

*Impact:*

   -

   Application crash only (DoS).
   -

   No memory corruption or exploitability.



*Evidence:*==2436988==ERROR: AddressSanitizer: SEGV on unknown address
0x0000000000ac
#0 Box_hdlr::get_handler_type() const libheif/box.h:487
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/


Current thread: