CVE-2024-41311: 
NixOS vulnerability analysis and mitigation

CVE-2024-41311 affects Libheif version 1.17.6, a decoder and encoder for HEIF and AVIF image formats. The vulnerability stems from insufficient checks in ImageOverlay::parse() function when decoding a heif file containing an overlay image with forged offsets, which can lead to out-of-bounds read and write operations. The issue was discovered by Gerrard Tai and was disclosed in July 2024 (Gist Report, NVD).

The vulnerability occurs in the ImageOverlay::parse() function where overlay offsets specified in the iloc box are trusted without proper validation. While there are sanity checks in HeifPixelImage::overlay(), these can be bypassed using extremely large or small offsets. The vulnerability has a CVSS 3.1 Base Score of 8.1 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. The issue is tracked under CWE-125 (Out-of-bounds Read) and CWE-787 (Out-of-bounds Write) (NVD).

When exploited, this vulnerability can lead to out-of-bounds read and write operations, potentially resulting in information disclosure, code execution, or denial of service. The vulnerability requires a malicious heif file to be decoded by the library (Gist Report).

The vulnerability has been fixed in Libheif version 1.18.0 through a patch that implements proper validation of overlay offsets. The fix includes additional checks to ensure that in_y0/x0 and out_x0/y0 are within the bounds of their respective images' dimensions. For Debian 11 bullseye, the fix has been backported to version 1.11.0-1+deb11u1 (Debian Advisory, GitHub PR).