Executive Summary

This vulnerability exists in libheif versions 1.21.2 and below, which is a library used to decode and encode HEIF and AVIF file formats. A specially crafted HEIF sequence file containing a zero value in the samples_per_chunk field of the stsc box causes an unsigned integer underflow in the Chunk constructor. This underflow sets an internal variable (m_last_sample) to UINT32_MAX, which incorrectly maps all samples to an empty chunk.

When the library tries to access any sample, it attempts to read from an empty vector, causing a guaranteed segmentation fault (SEGV) due to a null-page read. The file itself parses without errors, but the crash happens reliably on the first frame access, resulting in a denial-of-service condition.

The root cause is missing validation in the stsc parser, which does not reject a zero value for samples_per_chunk, even though the ISO 14496-12 specification requires this value to be at least 1.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause any application using libheif to open and read crafted HEIF sequence files to crash immediately upon accessing the first frame. This results in a denial-of-service (DoS) condition, where the process terminates unexpectedly.

The attack vector is network-based, requires no privileges, and minimal user interaction, meaning an attacker can exploit this vulnerability remotely to disrupt service availability.

The impact is on availability only, with no confidentiality or integrity loss, but it can cause significant disruption to applications relying on libheif for image processing.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying crafted HEIF sequence files that contain a zero value in the samples_per_chunk field of the stsc box. Since the file parses successfully without errors but causes a segmentation fault on the first frame access, detection involves monitoring for crashes or denial-of-service symptoms in applications using libheif versions 1.21.2 and below.

To detect potential exploitation attempts on your system, you can monitor application logs for crashes related to libheif or use file inspection tools to check HEIF files for the zero samples_per_chunk value.

Suggested commands include:

• Use a hex editor or a binary inspection tool (e.g., hexdump, xxd) to examine the stsc box in HEIF files and check if samples_per_chunk is zero.
• Example command to inspect a file (replace file.heic with your file): hexdump -C file.heic | grep -A 20 'stsc'
• Monitor system logs or application logs for segmentation faults or crashes related to libheif processes, e.g., using journalctl or dmesg on Linux.
• Use network monitoring tools to detect suspicious HEIF files being transferred over the network.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade libheif to version 1.22.0 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, avoid opening or processing untrusted HEIF sequence files, especially those received from untrusted sources or over the network.

Additionally, implement monitoring to detect crashes or denial-of-service symptoms in applications using libheif, and consider restricting network access to services that process HEIF files if possible.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability causes a denial of service by crashing applications that use libheif when processing crafted HEIF files. It impacts availability but does not directly affect confidentiality or integrity of data.

Since the vulnerability leads to process termination and denial of service without data leakage or unauthorized access, its impact on compliance with standards like GDPR or HIPAA is indirect and limited to availability concerns.

Organizations relying on libheif for processing HEIF files should consider the availability impact in their risk assessments and mitigation strategies to maintain compliance with availability requirements in such regulations.

Useful 0 Not Useful 0