Description
a double free when load a crafted image using cimg.
the tested code commit is 0e9fe67。
reports by the address sanitizer as follows:
==6191==ERROR: AddressSanitizer: attempting double-free on 0x62100001a500 in thread T0:
#0 0x7f1be4f702ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x7f1be40cbc55 in _IO_default_finish (/lib/x86_64-linux-gnu/libc.so.6+0x7bc55)
#2 0x7f1be40bd29e in fclose (/lib/x86_64-linux-gnu/libc.so.6+0x6d29e)
#3 0x7f1be4f6f7cd in fclose (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x977cd)
#4 0x40a518 in cimg_library::cimg::fclose(_IO_FILE*) ../CImg.h:6187
#5 0x49b051 in cimg_library::CImg::_load_bmp(_IO_FILE*, char const*) ../CImg.h:48467
#6 0x4b84a4 in cimg_library::CImg::load_bmp(char const*) ../CImg.h:48280
#7 0x4b84a4 in cimg_library::CImg::load(char const*) ../CImg.h:48122
#8 0x4022fa in cimg_library::CImg::assign(char const*) ../CImg.h:11514
#9 0x4022fa in cimg_library::CImg::CImg(char const*) ../CImg.h:11161
#10 0x4022fa in main /src/CImg/fuzz-test/bmp-test.cpp:25
#11 0x7f1be407082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
0x62100001a500 is located 0 bytes inside of 4096-byte region [0x62100001a500,0x62100001b500)
freed by thread T0 here:
#0 0x7f1be4f702ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x7f1be40cbe3c in _IO_default_finish (/lib/x86_64-linux-gnu/libc.so.6+0x7be3c)
previously allocated by thread T0 here:
#0 0x7f1be4f70602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7f1be40bd1d4 in _IO_file_doallocate (/lib/x86_64-linux-gnu/libc.so.6+0x6d1d4)
SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_free
==6191==ABORTING
poc:
https://github.com/xiaoqx/pocs/blob/master/cimg/cimg-double-free-1