Summary:
A heap-buffer-overflow vulnerability exists in libheif (confirmed on version 1.17.6-1ubuntu4.1, Ubuntu 24.04.2 LTS). The bug is triggered during decoding of a crafted .heic file using the public API heif_decode_image().
The vulnerable function performs a memcpy() of 9216 bytes from a std::vector<unsigned char> that only contains 96 valid bytes, leading to memory corruption and potential exploitation.
Unconfirmed whether present in current version.
Technical Details:
-
Function:
UncompressedImageCodec::decode_uncompressed_image() -
Trigger path:
heif_decode_image()
→decode_image_user()
→decode_image_planar()
→decode_uncompressed_image() -
Root cause:
A vector buffer is populated with untrusted data, then used in amemcpy()without bounds validation. This leads to a 9216-byte read from a 96-byte buffer.
ASan Trace (simplified):
==ASAN==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x508000000700 READ of size 9216 at 0x508000000700 thread T0 #0 memcpy #1 decode_uncompressed_image (libheif/uncompressed_image.cc:756) #2 decode_image_planar #3 decode_image_user #4 heif_decode_image
- Overflow occurs immediately past a
std::vector<unsigned char>heap allocation. - The corrupted memory region resides in a live
rw-pheap mapping.
** Impact:**
- Denial of Service (crash)
- Heap memory corruption
- Potential infoleak or control-flow hijack (RCE) with heap grooming
Compile the PoC with AddressSanitizer:
clang -fsanitize=address -g -O1 -o poc_libheif poc_libheif.c -lheif
ASAN_OPTIONS=detect_leaks=0 ./poc_libheif crash_input.heicDiscovered in: libheif 1.17.6-1ubuntu4.1 (Ubuntu 24.04.2 LTS)
PoC: https://github.com/SexyShoelessGodofWar/LibHeif---CVE-2025-XXXXX/blob/main/poc_libheif.c
CrashFile: https://github.com/SexyShoelessGodofWar/LibHeif---CVE-2025-XXXXX/blob/main/crash_input.heic
Issue: strukturag/libheif#1508
Discoverer: Gareth @ AnchorSec (https://www.anchorsec.co.uk)