Stack-buffer-overwrite in function heif_image_get_decoding_warnings

[fdu-sec]

Description

Stack-buffer-overwrite in function heif_image_get_decoding_warnings

Version

commit ID 33e00a4ec54e6fffca3febe3054017b1b81a0c49

$ ./examples/heif-convert -v
1.17.6
libheif: 1.17.6
plugin path: /usr/local/lib/libheif

$ ./examples/heif-convert --list-decoders
HEIC decoders:
- libde265 = libde265 HEVC decoder, version 1.0.4
AVIF decoders:
- aom = AOMedia Project AV1 Decoder v1.0.0
JPEG decoders:
JPEG 2000 decoders:
uncompressed: no

Replay

git clone https://github.com/strukturag/libheif.git
cd libheif
CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake .
make -j
./examples/heif-convert poc test.png

ASAN

File contains 1 image
=================================================================
==4098626==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffce00 at pc 0x7ffff6f9a7a3 bp 0x7fffffffc630 sp 0x7fffffffc620
WRITE of size 16 at 0x7fffffffce00 thread T0
    #0 0x7ffff6f9a7a2 in heif_image_get_decoding_warnings (/libheif/libheif/libheif.so.1+0xf97a2)
    #1 0x555555564b82 in main (/libheif/examples/heif-convert+0x10b82)
    #2 0x7ffff6a17082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #3 0x55555555fadd in _start (/libheif/examples/heif-convert+0xbadd)

Address 0x7fffffffce00 is located in stack of thread T0 at offset 1712 in frame
    #0 0x5555555627df in main (/libheif/examples/heif-convert+0xe7df)

  This frame has 62 object(s):
    [32, 33) 'initializer'
    [96, 97) '<unknown>'
    [160, 161) '<unknown>'
    [224, 225) '<unknown>'
    [288, 289) '<unknown>'
    [352, 353) '<unknown>'
    [416, 417) '<unknown>'
    [480, 481) '<unknown>'
    [544, 545) '<unknown>'
    [608, 609) '<unknown>'
    [672, 673) '<unknown>'
    [736, 737) '<unknown>'
    [800, 801) '<unknown>'
    [864, 868) 'option_index'
    [928, 932) 'depth_id'
    [992, 1000) 'encoder'
    [1056, 1064) 'cr'
    [1120, 1128) 'handle'
    [1184, 1192) 'image'
    [1248, 1256) 'depth_handle'
    [1312, 1320) 'depth_image'
    [1376, 1384) '__for_begin'
    [1440, 1448) '__for_end'
    [1504, 1512) 'aux_handle'
    [1568, 1576) 'aux_image'
    [1632, 1640) 'auxTypeC'
    [1696, 1712) 'err' <== Memory access at offset 1712 overflows this variable
    [1760, 1784) 'image_IDs'
    [1824, 1848) 'auxIDs'
    [1888, 1912) 'ids'
    [1952, 1976) 'xmp'
    [2016, 2040) 'exif'
    [2080, 2112) '<unknown>'
    [2144, 2176) 'input_filename'
    [2208, 2240) 'output_filename_stem'
    [2272, 2304) 'output_filename_suffix'
    [2336, 2368) 'input_stem'
    [2400, 2432) '<unknown>'
    [2464, 2496) '<unknown>'
    [2528, 2560) '<unknown>'
    [2592, 2624) 'suffix_lowercase'
    [2656, 2688) 'filename'
    [2720, 2752) 'numbered_output_filename_stem'
    [2784, 2816) '<unknown>'
    [2848, 2880) '<unknown>'
    [2912, 2944) '<unknown>'
    [2976, 3008) '<unknown>'
    [3040, 3072) 'auxType'
    [3104, 3136) '<unknown>'
    [3168, 3200) '<unknown>'
    [3232, 3264) 'auxFilename'
    [3296, 3328) 'itemtype'
    [3360, 3392) 'contenttype'
    [3424, 3456) 'xmp_filename'
    [3488, 3520) 'exif_filename'
    [3552, 3928) 's'
    [3968, 4344) 's'
    [4384, 4760) 's'
    [4800, 5312) 'ostr'
    [5344, 5856) 'ostr'
    [5888, 6408) 'istr'
    [6464, 6476) 'magic'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/libheif/libheif/libheif.so.1+0xf97a2) in heif_image_get_decoding_warnings
Shadow bytes around the buggy address:
  0x10007fff7970: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2
  0x10007fff7980: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2
  0x10007fff7990: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2
  0x10007fff79a0: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2
  0x10007fff79b0: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 00
=>0x10007fff79c0:[f2]f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00
  0x10007fff79d0: 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00
  0x10007fff79e0: 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00
  0x10007fff79f0: 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00
  0x10007fff7a00: 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00
  0x10007fff7a10: 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4098626==ABORTING

PoC

https://github.com/fdu-sec/poc/blob/main/libheif/stack-buffer-overflow.heif

Environment

Description:	Ubuntu 22.04.2 LTS
gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0