Re: [Buildroot] [2025.02.x, PATCH 2/3] package/libheif: patch CVE-2025-68431

From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Thomas Perale <thomas.perale@mind.be>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [2025.02.x, PATCH 2/3] package/libheif: patch CVE-2025-68431
Date: Fri, 27 Mar 2026 11:02:13 +0100	[thread overview]
Message-ID: <20260327100214.45355-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260316113716.208738-2-thomas.perale@mind.be>

In reply of:
> - CVE-2025-68431:
>     libheif is an HEIF and AVIF file format decoder and encoder. Prior to
>     version 1.21.0, a crafted HEIF that exercises the overlay image item
>     path triggers a heap buffer over-read in `HeifPixelImage::overlay()`.
>     The function computes a negative row length (likely from an unclipped
>     overlay rectangle or invalid offsets), which then underflows when
>     converted to `size_t` and is passed to `memcpy`, causing a very large
>     read past the end of the source plane and a crash. Version 1.21.0
>     contains a patch. As a workaround, avoid decoding images using `iovl`
>     overlay boxes.
> 
> For more information, see:
>   - https://www.cve.org/CVERecord?id=CVE-2025-68431
>   - https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x. Thanks

> ---
>  ...x-wrong-copy-width-in-overlay-images.patch | 26 +++++++++++++++++++
>  package/libheif/libheif.mk                    |  3 +++
>  2 files changed, 29 insertions(+)
>  create mode 100644 package/libheif/0001-fix-wrong-copy-width-in-overlay-images.patch
> 
> diff --git a/package/libheif/0001-fix-wrong-copy-width-in-overlay-images.patch b/package/libheif/0001-fix-wrong-copy-width-in-overlay-images.patch
> new file mode 100644
> index 0000000000..4d845b2f90
> --- /dev/null
> +++ b/package/libheif/0001-fix-wrong-copy-width-in-overlay-images.patch
> @@ -0,0 +1,26 @@
> +From b8c12a7b70f46c9516711a988483bed377b78d46 Mon Sep 17 00:00:00 2001
> +From: Dirk Farin <dirk.farin@gmail.com>
> +Date: Tue, 11 Nov 2025 19:47:50 +0100
> +Subject: [PATCH] fix wrong copy width in overlay images (thanks to Aldo
> + Ristori for reporting this)
> +
> +CVE: CVE-2025-68431
> +Upstream: https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46
> +Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> +---
> + libheif/pixelimage.cc | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/libheif/pixelimage.cc b/libheif/pixelimage.cc
> +index f202c61049..84a8dd739e 100644
> +--- a/libheif/pixelimage.cc
> ++++ b/libheif/pixelimage.cc
> +@@ -1508,7 +1508,7 @@ Error HeifPixelImage::overlay(std::shared_ptr<HeifPixelImage>& overlay, int32_t
> +       if (!has_alpha) {
> +         memcpy(out_p + out_x0 + (out_y0 + y - in_y0) * out_stride,
> +                in_p + in_x0 + y * in_stride,
> +-               in_w - in_x0);
> ++               in_w);
> +       }
> +       else {
> +         for (uint32_t x = in_x0; x < in_w; x++) {
> diff --git a/package/libheif/libheif.mk b/package/libheif/libheif.mk
> index 8d91a109db..325502ad00 100644
> --- a/package/libheif/libheif.mk
> +++ b/package/libheif/libheif.mk
> @@ -23,6 +23,9 @@ LIBHEIF_CONF_OPTS = \
>  	-DWITH_REDUCED_VISIBILITY=ON \
>  	-DWITH_SvtEnc=OFF
>  
> +# 0001-fix-wrong-copy-width-in-overlay-images.patch
> +LIBHEIF_IGNORE_CVES += CVE-2025-68431
> +
>  ifeq ($(BR2_PACKAGE_DAV1D),y)
>  LIBHEIF_CONF_OPTS += -DWITH_DAV1D=ON
>  LIBHEIF_DEPENDENCIES += dav1d
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot