libheif: Wrapped icef compressed-unit range check causes out-of-bounds read in uncompressed HEIF decoder
Description
libheif is a HEIF and AVIF file format decoder and encoder. Prior to version 1.22.1, the uncompressed HEIF decoder validates explicit icef compressed-unit offsets using unit_offset + unit_size. Because the addition can wrap, a crafted HEIF file can pass the range check and then construct a vector from iterators outside the compressed item buffer, producing an out-of-bounds heap read and crash. Version 1.22.1 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <1.22.1
Patches
Vulnerability mechanics
Root cause
"Missing overflow-safe validation: the addition `unit_offset + unit_size` can wrap around, allowing a crafted HEIF file to pass a range check and then construct iterators outside the compressed item buffer."
Attack vector
An attacker crafts a HEIF/AVIF file containing `cmpC`/`icef` properties with a `unit_offset` and `unit_size` pair whose unsigned addition wraps past the end of the compressed item buffer. Because the decoder validates using `unit_offset + unit_size` (which wraps), the range check passes, and `get_compressed_image_data_uncompressed` in `unc_decoder.cc` [ref_id=1] constructs a vector from iterators outside the buffer, causing an out-of-bounds heap read and crash.
Affected code
The vulnerable function is `unc_decoder::get_compressed_image_data_uncompressed` in `libheif/codecs/uncompressed/unc_decoder.cc` [ref_id=1]. The range check `unit_offset + unit_size` is performed on unsigned values, allowing integer wraparound to bypass the validation.
What the fix does
The advisory [ref_id=1] recommends replacing the wrapping addition check with a subtraction form: reject `unit_offset > compressed_bytes.size()`, then reject `unit_size > compressed_bytes.size() - unit_offset`. This prevents overflow because the subtraction cannot wrap when `unit_offset` is already within bounds. The fix also requires rejecting offsets that cannot be represented as valid iterator distances before constructing vectors or spans.
Preconditions
- configlibheif must be built with WITH_UNCOMPRESSED_CODEC enabled
- inputAttacker supplies a crafted HEIF/AVIF file with cmpC/icef properties whose unit_offset and unit_size sum wraps
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/strukturag/libheif/security/advisories/GHSA-r7qj-cg5r-r6vfmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.