Bugzilla – Bug 1217902
VUL-0: CVE-2023-49460: libheif: segmentation violation in decode_uncompressed_image()
Last modified: 2024-05-15 14:49:17 UTC
libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::decode_uncompressed_image. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-49460
https://github.com/strukturag/libheif/issues/1046 Affected code exists since v1.16.0. Therefore not affecting SLE. ALP is affected.
libheif-1.17.5$ mkdir build && cd build libheif-1.17.5/build$ CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake --preset=release .. libheif-1.17.5/build$ make -j8 libheif-1.17.5/build$ examples/heif-convert /217902/poc5 test.png File contains 1 image AddressSanitizer:DEADLYSIGNAL ================================================================= ==14988==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f3ac4f69432 bp 0x000000000014 sp 0x7ffcd98cd8e8 T0) ==14988==The signal is caused by a READ memory access. ==14988==Hint: address points to the zero page. #0 0x7f3ac4f69432 in __memcpy_avx_unaligned_erms (/lib64/libc.so.6+0x169432) (BuildId: 6d907c3874919b057bcad747e2077ca10369d605) #1 0x7f3ac58b698d in UncompressedImageCodec::decode_uncompressed_image(std::shared_ptr<HeifFile const> const&, unsigned int, std::shared_ptr<HeifPixelImage>&, unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> > const&) (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0x2b698d) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398) #2 0x7f3ac57338f1 in HeifContext::decode_image_planar(unsigned int, std::shared_ptr<HeifPixelImage>&, heif_colorspace, heif_decoding_options const&, bool) const (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0x1338f1) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398) #3 0x7f3ac57357a7 in HeifContext::decode_image_user(unsigned int, std::shared_ptr<HeifPixelImage>&, heif_colorspace, heif_chroma, heif_decoding_options const&) const (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0x1357a7) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398) #4 0x7f3ac56c5c64 in heif_decode_image (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/libheif/libheif.so.1+0xc5c64) (BuildId: dff2d0fd1e766ab0aa3b86d3df7acae6cf459398) #5 0x555fbd24dcdd in main (/home/abuild/rpmbuild/SOURCES/libheif-1.17.5/build/examples/heif-convert+0x9cdd) (BuildId: 1be7bcbce01218a6e8431a650b95fc45b81cdbbb) #6 0x7f3ac4e281af in __libc_start_call_main (/lib64/libc.so.6+0x281af) (BuildId: 6d907c3874919b057bcad747e2077ca10369d605) #7 0x7f3ac4e28278 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x28278) (BuildId: 6d907c3874919b057bcad747e2077ca10369d605) #8 0x555fbd251964 in _start ../sysdeps/x86_64/start.S:115 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib64/libc.so.6+0x169432) (BuildId: 6d907c3874919b057bcad747e2077ca10369d605) in __memcpy_avx_unaligned_erms ==14988==ABORTING libheif-1.17.5/build$
No upstream patch yet.
Submitted into a home branch: https://build.opensuse.org/request/show/1134006 due pending request: https://build.opensuse.org/request/show/1133912
Factory submit: https://build.opensuse.org/request/show/1134027
I guess something went wrong with the submission, perhaps it was reverted in Factory. New request was sent into Factory: https://build.opensuse.org/request/show/1135837
The newer submission to FACTORY https://build.opensuse.org/request/show/1136786
(In reply to Takashi Iwai from comment #8) > The newer submission to FACTORY > https://build.opensuse.org/request/show/1136786 Thanks Takashi for letting me know. ALP submission: https://build.suse.de/request/show/317097
This is accepted into ALP now. I believe all fixed.