CVE-2023-0996

Buffer Overflow in heif_js_decode_image in libheif v1.14.2

CVE ID

CVE-2023-0996

Description

There is a vulnerability in the strided image data parsing code in the emscripten wrapper for libheif. An attacker could exploit this through a crafted image file to cause a buffer overflow in linear memory during a memcpy call.

Tested Versions

v1.14.2

Details

libheif is an ISO/IEC 23008-12:2017 HEIF and AVIF (AV1 Image File Format) file format decoder and encoder.

Timeline

• 2022-10-21 - Vendor Disclosure
• 2023-01-11- Vendor Patched
• 2023-02-24 - Public Release

Credit

Discovered by Eugene Lim of GovTech Singapore.