A crafted image file can trigger stbi__load_gif_main_outofmem attempt to double-free the out variable. [1]
static void *stbi__load_gif_main_outofmem(stbi__gif *g, stbi_uc *out, int **delays)
{
STBI_FREE(g->out);
STBI_FREE(g->history);
STBI_FREE(g->background);
if (out) STBI_FREE(out); // [1] Double-free
if (delays && *delays) STBI_FREE(*delays);
return stbi__errpuc("outofmem", "Out of memory");
}
This happens in stbi__load_gif_main because when the layers * stride is zero [2] the behavior is implementation defined, but common that realloc frees the old memory and returns null pointer. Since it attempts to double-free the memory [3] a few lines below the first "free" [2], the issue can be potentially exploited only in a multi-threaded environment.
A crafted image file can trigger
stbi__load_gif_main_outofmem
attempt to double-free theout
variable. [1]This happens in
stbi__load_gif_main
because when thelayers * stride
is zero [2] the behavior is implementation defined, but common thatrealloc
frees the old memory and returns null pointer. Since it attempts to double-free the memory [3] a few lines below the first "free" [2], the issue can be potentially exploited only in a multi-threaded environment.Impact
This issue may lead to code execution.
Resources
To reproduce the issue: