CVE-2024-5171: Integer Overflow in Libaom Internal Function img_alloc_helper Leading to Heap Buffer Overflow
The Common Vulnerabilities and Exposures system has assigned the identifier CVE-2024-5171 to a critical security vulnerability found in the libaom library, specifically in the internal function img_alloc_helper. The vulnerability stems from an integer overflow situation which could lead to a heap buffer overflow. Exploiting this vulnerability would allow an attacker to execute arbitrary code or crash the application, leading to potential data loss and system destabilization.
In-depth look into the libaom vulnerability
The libaom library, which is part of the Alliance for Open Media (AOMedia) project, provides an AOMedia Video 1 (AV1) codec implementation - a high-performance, royalty-free video codec designed for internet video services. The vulnerability occurs when an integer overflow condition arises within the img_alloc_helper function. The function is responsible for allocating memory and setting up the internal data structures for a video frame. When there's an issue with this function, a heap buffer overflow is likely to occur.
The img_alloc_helper function can be accessed via 3 callers
1. Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets, causing some fields of the returned aom_image_t struct to be invalid.
2. Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets, causing some fields of the returned aom_image_t struct to be invalid.
3. Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets, causing some fields of the returned aom_image_t struct to be invalid.
Code snippet highlighting the issue
static aom_image_t *img_alloc_helper(aom_image_t *img, aom_img_fmt_t fmt,
unsigned int d_w, unsigned int d_h,
unsigned int align,
unsigned int size_align,
unsigned int border,
aom_bit_depth_t bit_depth) {
/* Calculate storage sizes and offsets */
const unsigned int bytes_per_sample = bit_depth > 8 ? 2 : 1;
// ...
const unsigned int w_y = ((d_w + align - 1) & ~(align - 1)) + 2 * border;
const unsigned int h_y = ((d_h + align - 1) & ~(align - 1)) + 2 * border;
const unsigned int w_uv = (w_y + x_subsampling - 1) >> x_subsampling;
const unsigned int h_uv = (h_y + y_subsampling - 1) >> y_subsampling;
// ...
/* Calculate plane strides */
const size_t s_y_raw = (size_t)w_y * bytes_per_sample;
const size_t s_uv_raw = (size_t)w_uv * bytes_per_sample;
// ...
}
In the above code snippet, when d_w, d_h, or align has a large value, it could result in integer overflows affecting the buffer sizes and offsets calculations.
References to the original discoveries and announcements can be found below
- AOMedia Libaom GitHub Repository
- CVE-2024-5171 National Vulnerability Database Entry
Exploit details
Currently, there are no known public exploits targeting this vulnerability. However, it is crucial for users and developers to update their libaom installations to the latest version to avoid possible exploitation. The AOMedia project has been notified about the vulnerability, and it is expected that a patch addressing this issue will be released soon. In the meantime, users are advised to be cautious when working with untrusted video files and input data.
Timeline
Published on: 06/05/2024 20:15:13 UTC
Last modified on: 07/23/2024 18:09:56 UTC