Out-of-bounds Memory Access in stb_image Library during GIF Image Processing
Summary
An out-of-bounds memory access has been discovered in the stb_image.h library. This issue arises while processing GIF images loaded from memory, leading to a segmentation fault. This vulnerability may result in a denial of service (DoS) or could be exploited to execute arbitrary code.
Affected Component
The vulnerability affects the processing routines within the stb_image.h library that handles GIF images, specifically within the context of the stbi_load_gif_from_memory function.
SEGV Details
AddressSanitizer:DEADLYSIGNAL
=================================================================
==123==ERROR: AddressSanitizer: SEGV on unknown address 0x62ffffff6a28 (pc 0x707570258c23 bp 0x7ffdc3aa7d60 sp 0x7ffdc3aa7528 T0)
==123==The signal is caused by a READ memory access.
#0 0x707570258c23 (/lib/x86_64-linux-gnu/libc.so.6+0xbbc23) (BuildId: eebe5d5f4b608b8a53ec446b63981bba373ca0ca)
#1 0x49ca08 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
#2 0x51b38c in stbi__gif_load_next /dev/shm/./stb_image.h:6815:16
#3 0x4db9a9 in stbi__load_gif_main /dev/shm/./stb_image.h:6981:14
#4 0x4db3ea in stbi_load_gif_from_memory /dev/shm/./stb_image.h:1449:30
#5 0x4e0d31 in main /dev/shm/poc.c:208:26
#6 0x7075701c1082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: eebe5d5f4b608b8a53ec446b63981bba373ca0ca)
#7 0x41c3ad in _start (/dev/shm/poc+0x41c3ad)
The issue is triggered by an out-of-bounds memory access during GIF image processing. The vulnerability is highlighted in the following segments of the code, as outlined by the stack trace:
Issue: Attempts to copy data for GIF processing without adequate bounds checking, leading to potential out-of-bounds access.
stbi__load_gif_main (Line 6981):
Code snippet: u = stbi__gif_load_next(s, &g, comp, req_comp, two_back);
Issue: Invokes stbi__gif_load_next, propagating the handling of potentially malformed or unexpected GIF data that could lead to unsafe memory operations.
stbi_load_gif_from_memory (Line 1449):
Code snippet: result = (unsigned char*) stbi__load_gif_main(&s, delays, x, y, z, comp, req_comp);
Issue: The GIF loading process begins, passing through critical data that, if not properly validated or managed, results in out-of-bounds memory access.
Out-of-bounds Memory Access in stb_image Library during GIF Image Processing
Summary
An out-of-bounds memory access has been discovered in the
stb_image.h
library. This issue arises while processing GIF images loaded from memory, leading to a segmentation fault. This vulnerability may result in a denial of service (DoS) or could be exploited to execute arbitrary code.Affected Component
The vulnerability affects the processing routines within the
stb_image.h
library that handles GIF images, specifically within the context of thestbi_load_gif_from_memory
function.SEGV Details
The issue is triggered by an out-of-bounds memory access during GIF image processing. The vulnerability is highlighted in the following segments of the code, as outlined by the stack trace:
stbi__gif_load_next
(Line 6815):memcpy( &g->out[pi * 4], &two_back[pi * 4], 4 );
stbi__load_gif_main
(Line 6981):u = stbi__gif_load_next(s, &g, comp, req_comp, two_back);
stbi__gif_load_next
, propagating the handling of potentially malformed or unexpected GIF data that could lead to unsafe memory operations.stbi_load_gif_from_memory
(Line 1449):result = (unsigned char*) stbi__load_gif_main(&s, delays, x, y, z, comp, req_comp);
Steps to Reproduce