Описание
libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in HeifPixelImage::overlay(). The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to size_t and is passed to memcpy, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using iovl overlay boxes.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | pending | |
| esm-apps/bionic | released | 1.1.0-2ubuntu0.1~esm2 |
| esm-apps/focal | released | 1.6.1-1ubuntu0.1~esm2 |
| esm-apps/jammy | released | 1.12.0-2ubuntu0.1~esm2 |
| jammy | needed | |
| noble | released | 1.17.6-1ubuntu4.2 |
| plucky | released | 1.19.7-1ubuntu0.1 |
| questing | released | 1.20.2-1ubuntu0.1 |
| upstream | released | 1.21.0 |
Показывать по
6.5 Medium
CVSS3
Связанные уязвимости
libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.
libheif is an HEIF and AVIF file format decoder and encoder. Prior to ...
6.5 Medium
CVSS3