Skip to content

Apple: ImageIO renders uninitialized heap memory

Moderate
sirdarckcat published GHSA-4gcf-xm6q-qph7 Apr 25, 2022

Package

ImageIO (Apple)

Affected versions

iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation), MacOS

Patched versions

iOS 15.4 and iPadOS 15.4

Description

Summary

Severity

Proof of Concept

CVE-2022-22611 and CVE-2022-22612 were discovered by fuzzing.

  • CVE-2022-22611 was an read OOB issue in IIOPixelConverterRGB::convert found by libgmalloc.
  • CVE-2022-22612 was more interesting - ImageIO may render uninitialized heap memory. IIOImageRead::getBytesAtOffset is supposed to initialize a heap memory and pass it to its caller for image rendering later. However, a crafted image file may let it return prematurely without initializing the heap memory:

imageio_bug

Further Analysis

CVE-2022-22612 might also be abused for (partially) recovering viewed and deleted photos. For example, here is the preview of a crafted photo if you view and delete two photos later:

imageio_bug

Timeline

Date reported: December 08, 2021
Date fixed: March 14, 2022
Date disclosed: March 14, 2022

Severity

Moderate

CVE ID

CVE-2022-22611

Weaknesses

Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Learn more on MITRE.

Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer. Learn more on MITRE.