New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use-After-Free bug in gifview (tested with the latest version 1.89) #114

Closed
junxzm1990 opened this Issue Aug 9, 2017 · 5 comments

Comments

Projects
None yet
4 participants
@junxzm1990

junxzm1990 commented Aug 9, 2017

When viewing a gif figure:

gifread.c:796 gfi = Gif_NewImage(); //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L796
-> A new object gfi is allocated

gifread.c:826 Gif_AddImage(gfs, gfi)); //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L826
-> gfi is added into gfs->images (assuming with index 0)
-> gfi->refcount increases by 1

gifread.c:828 read_image(grr, &gfc, gfi, read_flags); //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L828
-> Try to read the image
-> Assuming this call fails and return 0 (due to a corrupted figure)

gifread.c:829 Gif_RemoveImage(gfs, gfs->nimages - 1); //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L829
-> Gif_DeleteImage(gfs->images[gfs->nimages - 1])
-> Gif_Delete(gfs->images[gfs->nimages - 1]) (i.e., Gif_Delete(gfi))
-> gfi is freed

gifread.c:830 goto done //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L830

gifread.c:886-> 893: gfi is used multiple times after being freed. //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L886

gifread.c:896: gfi is freed again. //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L896

@kohler

This comment has been minimized.

Show comment
Hide comment
@kohler

kohler Aug 10, 2017

Owner

Thanks for this (and your emails). Does the fix in 81fd782 work for your test image?

Owner

kohler commented Aug 10, 2017

Thanks for this (and your emails). Does the fix in 81fd782 work for your test image?

@junxzm1990

This comment has been minimized.

Show comment
Hide comment
@junxzm1990

junxzm1990 Aug 10, 2017

Yes, it works.

junxzm1990 commented Aug 10, 2017

Yes, it works.

@h3xx

This comment has been minimized.

Show comment
Hide comment
@h3xx

h3xx Aug 11, 2017

Is there some way to incorporate this test into a CI process to prevent it from coming back?

h3xx commented Aug 11, 2017

Is there some way to incorporate this test into a CI process to prevent it from coming back?

@kohler

This comment has been minimized.

Show comment
Hide comment
@kohler

kohler Aug 11, 2017

Owner

Well, you could write a test and put it in test/.

Owner

kohler commented Aug 11, 2017

Well, you could write a test and put it in test/.

@kohler kohler closed this Aug 14, 2017

@carnil

This comment has been minimized.

Show comment
Hide comment
@carnil

carnil Jan 3, 2018

This issue was assigned CVE-2017-1000421

carnil commented Jan 3, 2018

This issue was assigned CVE-2017-1000421

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment