SB2026042755 - Multiple vulnerabilities in libheif

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Integer overflow (CVE-ID: N/A)

The vulnerability allows a remote attacker to overwrite image data.

The vulnerability exists due to integer overflow in readTiledSeparate() in heifio/decoder_tiff.cc when decoding crafted tiled TIFF images. A remote attacker can trick the victim into processing a specially crafted TIFF image to overwrite image data.

User interaction is required to process the crafted image.

2) NULL pointer dereference (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a null pointer dereference in HeifFile::get_item_data() when parsing a crafted HEIF file with a non-pict handler type and enumerating item data. A remote attacker can supply a specially crafted HEIF file to cause a denial of service.

The issue is triggered after parsing succeeds despite the malformed hdlr box leaving the mandatory m_iloc_box pointer uninitialized, and an application subsequently calls heif_item_get_item_data().

Remediation

Install update from vendor's website.

References

• https://github.com/strukturag/libheif/security/advisories/GHSA-wjj2-gjqj-5gr4
• https://github.com/strukturag/libheif/security/advisories/GHSA-h27h-4hc4-5vf5
• https://github.com/advisories/GHSA-h27h-4hc4-5vf5