Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use-After-Free bug in gifview (tested with the latest version 1.89) #114

Closed
junxzm1990 opened this issue Aug 9, 2017 · 5 comments
Closed

Comments

@junxzm1990
Copy link

When viewing a gif figure:

gifread.c:796 gfi = Gif_NewImage(); //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L796
-> A new object gfi is allocated

gifread.c:826 Gif_AddImage(gfs, gfi)); //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L826
-> gfi is added into gfs->images (assuming with index 0)
-> gfi->refcount increases by 1

gifread.c:828 read_image(grr, &gfc, gfi, read_flags); //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L828
-> Try to read the image
-> Assuming this call fails and return 0 (due to a corrupted figure)

gifread.c:829 Gif_RemoveImage(gfs, gfs->nimages - 1); //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L829
-> Gif_DeleteImage(gfs->images[gfs->nimages - 1])
-> Gif_Delete(gfs->images[gfs->nimages - 1]) (i.e., Gif_Delete(gfi))
-> gfi is freed

gifread.c:830 goto done //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L830

gifread.c:886-> 893: gfi is used multiple times after being freed. //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L886

gifread.c:896: gfi is freed again. //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L896

@kohler
Copy link
Owner

kohler commented Aug 10, 2017

Thanks for this (and your emails). Does the fix in 81fd782 work for your test image?

@junxzm1990
Copy link
Author

Yes, it works.

@h3xx
Copy link

h3xx commented Aug 11, 2017

Is there some way to incorporate this test into a CI process to prevent it from coming back?

@kohler
Copy link
Owner

kohler commented Aug 11, 2017

Well, you could write a test and put it in test/.

@kohler kohler closed this as completed Aug 14, 2017
@carnil
Copy link

carnil commented Jan 3, 2018

This issue was assigned CVE-2017-1000421

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants