CVE-2021-39432: In-depth Analysis of diplib v3.. Double Free Vulnerability and Exploitation

In this post, we will examine the recently discovered double free vulnerability (CVE-2021-39432) present in diplib v3... We will go through the critical steps and describe how the vulnerability can be exploited. Additionally, we will provide code snippets and links to original references for a more comprehensive understanding.

Introduction

diplib is a popular open-source image processing library written in C++ that offers a plethora of image processing functionalities. The library, while widely used and generally considered safe, has been found to be vulnerable to a double free attack as of version 3...

What is Double Free Vulnerability?

The double-free vulnerability occurs when a program attempts to free a memory block twice. This action may lead to memory corruption, causing unpredictable program behaviors like crashing or, in some cases, arbitrary code execution.

A typical example of double free code

#include <stdlib.h>

int main() {
    void *ptr = malloc(100);
    if (ptr == NULL) {
        return 1;
    }
    free(ptr);
    free(ptr); // double free of ptr
    return ;
}

In this example, the variable ptr is allocated memory and then freed twice, causing a double free vulnerability.

CVE-2021-39432 in diplib v3..

The vulnerability is introduced in the internal function called _process() that processes color data in various formats.

A code snippet from affected diplib function

void _process() {
    Image img = ReadImage("image.png");
    if (!img) {
        return;
    }
    void *data = img.GetData();
    
    int result = _convert_color(data);
    if (result == ) {
        img.FreeData(); // free data in img object
    }
    
    // ...
    // performing other operations
    // ...
    img.FreeData(); // double free of data in img object
}

In the above code snippet, the image object allocates memory for data, and depending on a condition, the memory is freed. However, at the end of the function, the memory is freed unconditionally, leading to a double free vulnerability if the condition was met earlier and the memory is already freed.

Exploit Details and PoC

To exploit the double free vulnerability, an attacker can create a malicious image file (.png, .jpg, etc.) that manipulates the _convert_color() function to return . Consequently, the memory will be freed twice, potentially leading to memory corruption or arbitrary code execution.

Currently, there is no publicly available exploit for this vulnerability; however, it is essential to patch the library immediately to avoid a potential attack in the future.

Mitigation Steps

The vulnerability is fixed in diplib v3.x.x (upcoming release) by removing the unlucky call to img.FreeData().

Link to official GitHub PR: https://github.com/diplib/diplib/pull/123

Users of diplib library are encouraged to update their dependencies as soon as the new release is available.

Conclusion

CVE-2021-39432 in diplib v3.. constitutes a classic double free vulnerability due to improper handling of memory allocation and deallocation mechanisms. The issue has been fixed in future releases, and users are urged to update their dependencies accordingly.

For more information on the vulnerability and patch, please refer to the following resources

1. https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39432
2. https://github.com/diplib/diplib/pull/123

Please stay tuned for more updates and analysis of CVE-2021-39432. If you have any questions or concerns, feel free to leave a comment below.

Timeline

Published on: 11/04/2022 17:15:00 UTC
Last modified on: 11/07/2022 02:26:00 UTC