Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use-After-Free bug in gifview (tested with the latest version 1.89) #114

Closed
junxzm1990 opened this issue Aug 9, 2017 · 5 comments

Comments

Projects
None yet
4 participants
@junxzm1990
Copy link

commented Aug 9, 2017

When viewing a gif figure:

gifread.c:796 gfi = Gif_NewImage(); //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L796
-> A new object gfi is allocated

gifread.c:826 Gif_AddImage(gfs, gfi)); //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L826
-> gfi is added into gfs->images (assuming with index 0)
-> gfi->refcount increases by 1

gifread.c:828 read_image(grr, &gfc, gfi, read_flags); //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L828
-> Try to read the image
-> Assuming this call fails and return 0 (due to a corrupted figure)

gifread.c:829 Gif_RemoveImage(gfs, gfs->nimages - 1); //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L829
-> Gif_DeleteImage(gfs->images[gfs->nimages - 1])
-> Gif_Delete(gfs->images[gfs->nimages - 1]) (i.e., Gif_Delete(gfi))
-> gfi is freed

gifread.c:830 goto done //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L830

gifread.c:886-> 893: gfi is used multiple times after being freed. //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L886

gifread.c:896: gfi is freed again. //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L896

kohler added a commit that referenced this issue Aug 10, 2017

@kohler

This comment has been minimized.

Copy link
Owner

commented Aug 10, 2017

Thanks for this (and your emails). Does the fix in 81fd782 work for your test image?

@junxzm1990

This comment has been minimized.

Copy link
Author

commented Aug 10, 2017

Yes, it works.

@h3xx

This comment has been minimized.

Copy link

commented Aug 11, 2017

Is there some way to incorporate this test into a CI process to prevent it from coming back?

@kohler

This comment has been minimized.

Copy link
Owner

commented Aug 11, 2017

Well, you could write a test and put it in test/.

@kohler kohler closed this Aug 14, 2017

@carnil

This comment has been minimized.

Copy link

commented Jan 3, 2018

This issue was assigned CVE-2017-1000421

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.