stb_image is a popular, single-file MIT licensed library used for processing images. Recently, an issue has been discovered within the library, which could potentially lead to memory leaks, or double-free vulnerabilities. This post aims to provide detailed information about the vulnerability, the relevant code snippets, as well as links to the original references and exploit details.

Vulnerability Overview

Upon analyzing the stbi__load_gif_main function, it seems that there are no guarantees about the content of the output value *delays when the function fails. The *delays is set to zero at the start of the function, but this does not happen if the image is not recognized as a GIF. Consequently, a call to stbi__load_gif_main_outofmem only takes care of freeing any potentially allocated memory in *delays, leaving it uninitialized.

The responsibility lies with the caller of stbi__load_gif_main to ensure the allocated memory in *delays is freed only if the function returns a non-null value. However, there is a possibility that the function may return a null value and still fail to free the memory in *delays if stbi__convert_format is invoked and fails internally. This conflict could lead to memory leaks if the caller opts to free delays only when the function did not fail, or in a double-free scenario if the delays are always freed.

Code Snippet

void stbi__load_gif_main(...)
{
   // Initialization of the delays variable
   *delays = ;

   if (...) {
      // In case the image is not recognized as a GIF
   } else {
      // Normal GIF processing

      if (stbi__convert_format(...))
      {
         // Some processing leading to function failure
      }
      else
      {
         // Function success
      }
   }

   // Call to free any potentially allocated memory in delays
   stbi__load_gif_main_outofmem(...);
}

Exploit Details

An attacker could exploit this vulnerability by crafting a specially designed GIF image with specific attributes that would force the stbi__load_gif_main function to fail during processing. As a result, the memory leak or double-free scenario would occur depending on how the caller handles memory allocation and deallocation for the *delays variable.

Original References

- stb_image library GitHub repository: https://github.com/nothings/stb

Mitigation

To mitigate this vulnerability, callers of stbi__load_gif_main should validate the return value of the function and guarantee that memory is correctly handled for the *delays variable, considering both success and failure cases. Additionally, the stb_image library maintainers should consider improving the handling of memory allocation and deallocation within the vulnerable function and address the detected issue in future releases.

In conclusion, users of the stb_image library should be aware of this vulnerability (CVE-2023-45666) and take necessary steps to ensure proper memory handling when processing images. Keep an eye out for updated releases of the library and patches that address this vulnerability.

Timeline

Published on: 10/21/2023 00:15:09 UTC
Last modified on: 11/04/2023 06:15:53 UTC