When stbi_set_flip_vertically_on_load is set to TRUE and req_comp is set to a number that doesn't match the real number of components per pixel, the library attempts to flip the image vertically.
A crafted image file can trigger memcpy [3] out-of-bounds read because bytes_per_pixel [1] used to calculate bytes_per_row [2] doesn't match the real image array dimensions.
STBIDEF stbi_uc *stbi_load_gif_from_memory(stbi_uc const *buffer, int len, int **delays, int *x, int *y, int *z, int *comp, int req_comp)
{
unsigned char *result;
stbi__context s;
stbi__start_mem(&s,buffer,len);
result = (unsigned char*) stbi__load_gif_main(&s, delays, x, y, z, comp, req_comp); // [4]
if (stbi__vertically_flip_on_load) {
stbi__vertical_flip_slices( result, *x, *y, *z, *comp ); // [5]
}
return result;
}
static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y, int *z, int *comp, int req_comp)
{
...
// do the final conversion after loading everything;
if (req_comp && req_comp != 4)
out = stbi__convert_format(out, 4, req_comp, layers * g.w, g.h);
Impact
This issue may be used to leak internal memory allocation information.
==58950==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f5f9fe18b98 at pc 0x00000049db51 bp 0x7ffdf2aed0f0 sp 0x7ffdf2aec8c0
READ of size 756 at 0x7f5f9fe18b98 thread T0
#0 0x49db50 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
#1 0x4e2608 in stbi__vertical_flip(void*, int, int, int) tests/../stb_image.h:1235:10
#2 0x4dfaee in stbi__vertical_flip_slices(void*, int, int, int, int) tests/../stb_image.h:1252:7
#3 0x4dea9b in stbi_load_gif_from_memory tests/../stb_image.h:1450:7
When
stbi_set_flip_vertically_on_load
is set toTRUE
andreq_comp
is set to a number that doesn't match the real number of components per pixel, the library attempts to flip the image vertically.A crafted image file can trigger memcpy [3] out-of-bounds read because
bytes_per_pixel
[1] used to calculatebytes_per_row
[2] doesn't match the realimage
array dimensions.The reason for this is that
stbi_load_gif_from_memory
callsstbi__vertical_flip_slices
[5] with the number of bytes per pixel in the loaded image -comp
, howeverstbi__load_gif_main
[4] internally converts the image to requested number of bytes per pixel.Impact
This issue may be used to leak internal memory allocation information.
Resources
To reproduce the issue: