
Full Disclosure mailing list archives
libheif v1.21.0 Integer Overflow in Y4M Loader leading to Uncontrolled Memory Allocation
From: Ron E <ronaldjedgerson () gmail com>
Date: Sat, 23 Aug 2025 11:51:27 -0400
An integer overflow vulnerability exists in the Y4M input loader (loadY4M in decoder_y4m.cc) of libheif. The loader fails to properly validate the width and height values declared in the Y4M file header. Supplying a crafted .y4m file with extremely large dimensions (e.g., W2147483647 H2147483647) causes integer overflow during buffer size calculations. This results in uncontrolled memory allocation requests that exceed supported limits. Depending on the build and allocator behavior, this may cause a denial of service (application crash or out-of-memory) or heap buffer overflow leading to potential memory corruption. *Impact* - *Denial of Service (DoS):* Application crash or OOM when parsing malicious Y4M. - *Potential Memory Corruption:* If allocation wraps around to a smaller buffer, subsequent writes may overrun heap memory, possibly leading to arbitrary code execution under certain conditions. *Proof of Concept:*Run through a libheif build with Y4M enabled (e.g., heif-enc or a harness linked against decoder_y4m.cc), AddressSanitizer reports: ERROR: AddressSanitizer: requested allocation size 0x400000000000000f ... SUMMARY: AddressSanitizer: allocation-size-too-big in HeifPixelImage::ImagePlane::alloc _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- libheif v1.21.0 Integer Overflow in Y4M Loader leading to Uncontrolled Memory Allocation Ron E (Sep 08)