AddressSanitizer: SEGV in decode_uncompressed_image

[fdu-sec]

Description

AddressSanitizer: SEGV in decode_uncompressed_image

Version

commit: 64ece913266609789f5dc70fe7de9eb759badd7f

heif-convert  libheif version: 1.17.5
-------------------------------------------
Usage: heif-convert [options]  <input-image> [output-image]

The program determines the output file format from the output filename suffix.
These suffixes are recognized: jpg, jpeg, png, y4m. If no output filename is specified, 'jpg' is used.

Options:
  -h, --help                     show help
  -v, --version                  show version
  -q, --quality                  quality (for JPEG output)
  -o, --output FILENAME          write output to FILENAME (optional)
  -d, --decoder ID               use a specific decoder (see --list-decoders)
      --with-aux                 also write auxiliary images (e.g. depth images)
      --with-xmp                 write XMP metadata to file (output filename with .xmp suffix)
      --with-exif                write EXIF metadata to file (output filename with .exif suffix)
      --skip-exif-offset         skip EXIF metadata offset bytes
      --no-colons                replace ':' characters in auxiliary image filenames with '_'
      --list-decoders            list all available decoders (built-in and plugins)
      --quiet                    do not output status messages to console
  -C, --chroma-upsampling ALGO   Force chroma upsampling algorithm (nn = nearest-neighbor / bilinear)
      --png-compression-level #  Set to integer between 0 (fastest) and 9 (best). Use -1 for default.

Replay

cd libheif
mkdir build && cd build
CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake -DCMAKE_BUILD_TYPE=Debug -DWITH_UNCOMPRESSED_CODEC=ON ..
make -j
./examples/heif-convert ./poc test.png

ASAN

==89344==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f955d086aeb bp 0x7ffdd923ebb0 sp 0x7ffdd923e318 T0)
==89344==The signal is caused by a READ memory access.
==89344==Hint: address points to the zero page.
    #0 0x7f955d086aea in memcpy (/lib/x86_64-linux-gnu/libc.so.6+0xbbaea)
    #1 0x7f955d85f4de  (/lib/x86_64-linux-gnu/libasan.so.4+0x7a4de)
    #2 0x7f955d6f8495 in UncompressedImageCodec::decode_uncompressed_image(std::shared_ptr<HeifFile const> const&, unsigned int, std::shared_ptr<HeifPixelImage>&, unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> > const&) libheif/libheif/uncompressed_image.cc:758
    #3 0x7f955d5b7304 in HeifContext::decode_image_planar(unsigned int, std::shared_ptr<HeifPixelImage>&, heif_colorspace, heif_decoding_options const&, bool) const libheif/libheif/context.cc:1452
    #4 0x7f955d5b42a8 in HeifContext::decode_image_user(unsigned int, std::shared_ptr<HeifPixelImage>&, heif_colorspace, heif_chroma, heif_decoding_options const&) const libheif/libheif/context.cc:1248
    #5 0x7f955d5771f4 in heif_decode_image libheif/libheif/heif.cc:1044
    #6 0x55e9351aca11 in main libheif/examples/heif_convert.cc:484
    #7 0x7f955cfef082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #8 0x55e9351a7add in _start (libheif/build/examples/heif-convert+0xbadd)

POC

• poc

Environment

Description:	Ubuntu 22.04.2 LTS
gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0

Credit

Yuchuan Meng (Fudan University)

[carnil]

This appears to be CVE-2023-49460

[farindk]

Apparently also fixed with fd5b02a.