heap-buffer-overflow in loadJPEG() after a WRITE leading to Segmentation Fault

[4n0nym4u5]

Description

libheif latest release 1.19.5 was discovered to contain a heap buffer overflow vulnerability due to a signed integer overflow when calculating stride[targetChannel] * (alreadyRead[i] + j) in heifio/decoder_jpeg.cc:425 loadJPEG() when parsing a specially crafted JPEG image file. This vulnerability can lead to Denial of Service of possible code execution

ASAN Log

heif-enc ./heap-buffer-overflow

Summary: ASAN detected heap-buffer-overflow in loadJPEG(char const*, InputImage*) after a WRITE leading to SIGABRT (si_signo=6) / SI_TKILL (si_code=-6)
Command line: ./heif-enc @@ pwn
Testcase: triaged_crashes/heap-buffer-overflow
Crash bucket: e6037dd64c19a8c6e51dde0cf2e06dd4

Crashing thread backtrace:
#0  0x00007ffff729eb1c in __pthread_kill_implementation (/lib/x86_64-linux-gnu/libc.so.6)
                       at ./nptl/pthread_kill.c:44

#1  0x00007ffff729eb1c in __pthread_kill_internal (/lib/x86_64-linux-gnu/libc.so.6)
                       at ./nptl/pthread_kill.c:78

#2  0x00007ffff729eb1c in __GI___pthread_kill (/lib/x86_64-linux-gnu/libc.so.6)
                       at ./nptl/pthread_kill.c:89

#3  0x00007ffff724526e in __GI_raise (/lib/x86_64-linux-gnu/libc.so.6)
                       at ../sysdeps/posix/raise.c:26

#4  0x00007ffff72288ff in __GI_abort (/lib/x86_64-linux-gnu/libc.so.6)
                       at ./stdlib/abort.c:79

#5  0x000055555565339b in __sanitizer::Abort() (<REDACTED>/libheif-1.19.5/build/examples/heif-enc)
#6  0x0000555555651525 in __sanitizer::Die() (<REDACTED>/libheif-1.19.5/build/examples/heif-enc)
#7  0x0000555555631c4f in __asan::ScopedInErrorReport::~ScopedInErrorReport() (<REDACTED>/libheif-1.19.5/build/examples/heif-enc)
#8  0x0000555555634cd5 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) (<REDACTED>/libheif-1.19.5/build/examples/heif-enc)
#9  0x000055555562ad6a in __asan_memcpy (<REDACTED>/libheif-1.19.5/build/examples/heif-enc)
#10 0x00005555556f7e4f in loadJPEG(char const*, InputImage*) (<REDACTED>/libheif-1.19.5/build/examples/heif-enc)
#11 0x000055555566fc86 in load_image(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) (<REDACTED>/libheif-1.19.5/build/examples/heif-enc)
#12 0x0000555555675332 in main (<REDACTED>/libheif-1.19.5/build/examples/heif-enc)

ASAN Report:
=================================================================
==254623==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ffed860180f at pc 0x55555562ad48 bp 0x7fffffffcb10 sp 0x7fffffffc2d0
WRITE of size 49150 at 0x7ffed860180f thread T0
    #0 0x55555562ad47 in __asan_memcpy ??:?
    #1 0x5555556f7e4e in loadJPEG(char const*, InputImage*) ??:?
    #2 0x55555566fc85 in load_image(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) :?
    #3 0x555555675331 in main ??:?
    #4 0x7ffff722a1c9 in __libc_start_call_main csu/../sysdeps/x86/libc-start.c:58
    #5 0x7ffff722a28a in __libc_start_main_impl csu/../csu/libc-start.c:360
    #6 0x555555591fb4 in _start ??:?

0x7ffed860180f is located 0 bytes after 1579155471-byte region [0x7ffe7a401800,0x7ffed860180f)
allocated by thread T0 here:
    #0 0x55555566b541 in operator new[](unsigned long) ??:?
    #1 0x7ffff7b6c09b in HeifPixelImage::ImagePlane::alloc(unsigned int, unsigned int, heif_channel_datatype, int, int, heif_security_limits const*) :?
    #2 0x7ffff7b6add9 in HeifPixelImage::add_plane(heif_channel, unsigned int, unsigned int, int, heif_security_limits const*) :?
    #3 0x7ffff7bc03bd in heif_image_add_plane ??:?
    #4 0x5555556f7242 in loadJPEG(char const*, InputImage*) ??:?
    #5 0x55555566fc85 in load_image(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) :?
    #6 0x555555675331 in main ??:?
    #7 0x7ffff722a1c9 in __libc_start_call_main csu/../sysdeps/x86/libc-start.c:58
    #8 0x7ffff722a28a in __libc_start_main_impl csu/../csu/libc-start.c:360
    #9 0x555555591fb4 in _start ??:?

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:? in __asan_memcpy
Shadow bytes around the buggy address:
  0x7ffed8601580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7ffed8601600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7ffed8601680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7ffed8601700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7ffed8601780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7ffed8601800: 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7ffed8601880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7ffed8601900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7ffed8601980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7ffed8601a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7ffed8601a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==254623==ABORTING

Crash context:
Execution stopped here ==> 0x00007ffff729eb1c: mov    r14d,eax

Register info:
    rax - 0x0000000000000000 (0)
    rbx - 0x000000000003e29f (254623)
    rcx - 0x00007ffff729eb1c (140737340107548)
    rdx - 0x0000000000000006 (6)
    rsi - 0x000000000003e29f (254623)
    rdi - 0x000000000003e29f (254623)
    rbp - 0x00007fffffffb450 (0x7fffffffb450)
    rsp - 0x00007fffffffb410 (0x7fffffffb410)
     r8 - 0xffffff0000000000 (-1099511627776)
     r9 - 0x0000000000000000 (0)
    r10 - 0x0000000000000008 (8)
    r11 - 0x0000000000000246 (582)
    r12 - 0x0000000000000006 (6)
    r13 - 0x1000000000000000 (1152921504606846976)
    r14 - 0x0000000000000016 (22)
    r15 - 0x0fffff0000000000 (1152920405095219200)
    rip - 0x00007ffff729eb1c (0x7ffff729eb1c <__GI___pthread_kill+284>)
 eflags - 0x00000246 ([ PF ZF IF ])
     cs - 0x00000033 (51)
     ss - 0x0000002b (43)
     ds - 0x00000000 (0)
     es - 0x00000000 (0)
     fs - 0x00000000 (0)
     gs - 0x00000000 (0)
fs_base - 0x00007ffff787f7c0 (140737346271168)
gs_base - 0x0000000000000000 (0)

Reproduction

wget https://github.com/strukturag/libheif/releases/download/v1.19.5/libheif-1.19.5.tar.gz
tar -xvf libheif-1.19.5.tar.gz
rm libheif-1.19.5.tar.gz
cd libheif-1.19.5
mkdir build && cd build && CC=clang CXX=clang++ CFLAGS='-fsanitize=address' CXXFLAGS='-fsanitize=address' cmake .. && make -j20
cd examples
./heif-enc heap-buffer-overflow

Proof-of-Concept Files

heap-buffer-overflow

Environment

Linux Mint 22 Wilma 
Ubuntu clang version 18.1.3 (1ubuntu1)
gcc (Ubuntu 13.2.0-23ubuntu4) 13.2.0

[4n0nym4u5]

The vulnerable line of code was added in commit 61b1e6f121197f3d492afb26923759a56b414608 in the release version 1.16.2.

[4n0nym4u5]

Any updates ? @farindk