Exploit for LibHeif---CVE-2025-XXXXX

Name: Exploit for LibHeif---CVE-2025-XXXXX
Rating: 5 (565 reviews)
2025-04-20 | CVSS 7.6
## https://sploitus.com/exploit?id=ABD36FCD-2193-5456-B051-138528383DF6
### Security Issue: Heap Buffer Overflow in `libheif` 

**Summary:**  
A heap-buffer-overflow vulnerability exists in `libheif` (confirmed on version `1.17.6-1ubuntu4.1`, Ubuntu **24.04.2 LTS**). The bug is triggered during decoding of a crafted `.heic` file using the public API `heif_decode_image()`.

The vulnerable function performs a `memcpy()` of 9216 bytes from a `std::vector<unsigned char>` that only contains 96 valid bytes, leading to memory corruption and potential exploitation.

Unconfirmed whether present in current version.

---

**Technical Details:**

- **Function:** `UncompressedImageCodec::decode_uncompressed_image()`
- **Trigger path:**  
  `heif_decode_image()`  
  → `decode_image_user()`  
  → `decode_image_planar()`  
  → `decode_uncompressed_image()`

- **Root cause:**  
  A vector buffer is populated with untrusted data, then used in a `memcpy()` without bounds validation. This leads to a 9216-byte read from a 96-byte buffer.

---

**ASan Trace (simplified):**

`==ASAN==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x508000000700 READ of size 9216 at 0x508000000700 thread T0 
 #0 memcpy 
 #1 decode_uncompressed_image (libheif/uncompressed_image.cc:756) 
 #2 decode_image_planar 
 #3 decode_image_user 
 #4 heif_decode_image
`

- Overflow occurs immediately past a `std::vector<unsigned char>` heap allocation.
- The corrupted memory region resides in a live `rw-p` heap mapping.

** Impact:**

- Denial of Service (crash)
- Heap memory corruption
- Potential infoleak or control-flow hijack (RCE) with heap grooming

**Compile the PoC with AddressSanitizer:**

   ```bash
   clang -fsanitize=address -g -O1 -o poc_libheif poc_libheif.c -lheif

ASAN_OPTIONS=detect_leaks=0 ./poc_libheif crash_input.heic
```

Discovered in: libheif 1.17.6-1ubuntu4.1 (Ubuntu 24.04.2 LTS)

PoC: https://github.com/SexyShoelessGodofWar/LibHeif---CVE-2025-XXXXX/blob/main/poc_libheif.c

CrashFile: https://github.com/SexyShoelessGodofWar/LibHeif---CVE-2025-XXXXX/blob/main/crash_input.heic

Issue: https://github.com/strukturag/libheif/issues/1508