Bug 2425902 (CVE-2025-68431)

Summary: CVE-2025-68431 libheif: libheif has Potential Heap Buffer Over-Read
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A heap buffer over-read flaw was found in the libheif HEIF/AVIF image decoder and encoder used in multimedia applications. When processing a crafted HEIF image containing overlay image items, the function HeifPixelImage::overlay() may compute a negative row length, which underflows when converted to an unsigned size_t. This underflow value is passed to memcpy(), resulting in a read past the end of the source image buffer. If a user opens or decodes such a crafted image, this can trigger an application crash and denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2426446, 2426447, 2426449, 2426448    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-29 20:01:53 UTC 
libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.