Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers: * Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.
The vulnerability is triggered by calling one of three public library functions: aom_img_alloc(), aom_img_wrap(), or aom_img_alloc_with_border() with excessively large parameter values such as d_w, d_h, align, size_align, or border. Passing such values causes an integer overflow during buffer size calculations and offset computations, and some fields of the returned aom_image_t structure receive incorrect values. As a result, a write occurs beyond the boundaries of the allocated heap buffer (heap buffer overflow).
An attacker can achieve arbitrary code execution (RCE) or destabilize an application using the libaom library, potentially taking control of the victim's system. Due to the lack of authentication and user interaction requirements, the vulnerability is particularly dangerous in applications processing external video files or AV1 streaming data.
Patches available from the vendor should be applied according to the references. Users of Fedora and Debian distributions should immediately update the libaom package to the version provided by distribution maintainers (details in fedora-package-announce and debian-lts-announce lists).
Aomedia libaom library — versions indicated in vendor references and distribution packages for Fedora and Debian (according to published security announcements).
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XAomedia Libaom
APPAomedia1.0.0 – 3.9.0
Related vulnerabilities
Heap overflow w bibliotece AOM podczas zmiany rozdzielczości w wielowątkowym encode
aom_dsp/noise_model.c in libaom in AOMedia before 2021-03-24 has a buffer overflow.
aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use-after-free.
aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap.
AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid read memory access via the component assign_fram...