CVE-2025-62821

An attacker crafts a malicious HEIF file that triggers a specific failure branch in `CHEIFItemInfoEntry_GetDataSize`, causing it to return success while leaving the reported data size at 0 [ref_id=1]. The `CHEIFStreamReader_ReadItemData` function then calls `MFCreateMemoryBuffer(0)`, which allocates only a 1‑byte source buffer [ref_id=1]. Later, the `CopyPixels` path computes a large `copy_size = stride * abs(roi_height)` and passes it to `memmove(dst, src, copy_size)` without verifying that the source buffer holds at least that many bytes, resulting in an out‑of‑bounds read and access violation [CWE-125] [ref_id=1]. Opening or previewing the crafted HEIF file in any application that uses Windows Imaging Component (WIC), such as Microsoft Photos, triggers the crash, leading to denial of service [ref_id=1]. No authentication or special network position is required beyond delivering the file to the target (e.g., via email, download, or USB).

The researcher suggests validating in the `CopyPixels` path that the source buffer has at least `stride * abs(roi_height)` bytes before performing the `memmove` [ref_id=1]. If the source is too small, the function should fail with `WINCODEC_ERR_INSUFFICIENTBUFFER` (or an equivalent error) instead of reading past the buffer boundary [ref_id=1]. The patch is not published in the repository; only the advisory and suggested fix are provided [ref_id=1].

Download the PoC HEIF file from the repository and open it with Microsoft Photos (or any WIC‑based image viewer). The application crashes with an access violation when the codec attempts to read past the 1‑byte source buffer during `memmove`.