stb_image is a single file MIT licensed library for processing images. A crafted image file can trigger stbi__load_gif_main_outofmem
attempt to double-free the out variable. This happens in stbi__load_gif_main
because when the layers * stride
value is zero the behavior is implementation defined, but common that realloc frees the old memory and returns null pointer. Since it attempts to double-free the memory a few lines below the first “free”, the issue can be potentially exploited only in a multi-threaded environment. In the worst case this may lead to code execution.
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Stb_image.h | Nothings | 2.28 (including) | 2.28 (including) |
Libstb | Ubuntu | bionic | * |
Libstb | Ubuntu | lunar | * |
Libstb | Ubuntu | mantic | * |
Libstb | Ubuntu | trusty | * |
Libstb | Ubuntu | xenial | * |