You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A crafted image file can trigger stbi__load_gif_main_outofmem attempt to double-free the out variable. [1]
staticvoid *stbi__load_gif_main_outofmem(stbi__gif *g, stbi_uc *out, int **delays)
{
STBI_FREE(g->out);
STBI_FREE(g->history);
STBI_FREE(g->background);
if (out) STBI_FREE(out); // [1] Double-freeif (delays && *delays) STBI_FREE(*delays);
returnstbi__errpuc("outofmem", "Out of memory");
}
This happens in stbi__load_gif_main because when the layers * stride is zero [2] the behavior is implementation defined, but common that realloc frees the old memory and returns null pointer. Since it attempts to double-free the memory [3] a few lines below the first "free" [2], the issue can be potentially exploited only in a multi-threaded environment.
A crafted image file can trigger
stbi__load_gif_main_outofmem
attempt to double-free theout
variable. [1]This happens in
stbi__load_gif_main
because when thelayers * stride
is zero [2] the behavior is implementation defined, but common thatrealloc
frees the old memory and returns null pointer. Since it attempts to double-free the memory [3] a few lines below the first "free" [2], the issue can be potentially exploited only in a multi-threaded environment.Impact
This issue may lead to code execution.
Resources
To reproduce the issue:
The text was updated successfully, but these errors were encountered: