New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use-After-Free bug in gifview (tested with the latest version 1.89) #114
Comments
kohler
added a commit
that referenced
this issue
Aug 10, 2017
|
Thanks for this (and your emails). Does the fix in 81fd782 work for your test image? |
|
Yes, it works. |
|
Is there some way to incorporate this test into a CI process to prevent it from coming back? |
|
Well, you could write a test and put it in test/. |
|
This issue was assigned CVE-2017-1000421 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When viewing a gif figure:
gifread.c:796 gfi = Gif_NewImage(); //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L796
-> A new object gfi is allocated
gifread.c:826 Gif_AddImage(gfs, gfi)); //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L826
-> gfi is added into gfs->images (assuming with index 0)
-> gfi->refcount increases by 1
gifread.c:828 read_image(grr, &gfc, gfi, read_flags); //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L828
-> Try to read the image
-> Assuming this call fails and return 0 (due to a corrupted figure)
gifread.c:829 Gif_RemoveImage(gfs, gfs->nimages - 1); //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L829
-> Gif_DeleteImage(gfs->images[gfs->nimages - 1])
-> Gif_Delete(gfs->images[gfs->nimages - 1]) (i.e., Gif_Delete(gfi))
-> gfi is freed
gifread.c:830 goto done //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L830
gifread.c:886-> 893: gfi is used multiple times after being freed. //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L886
gifread.c:896: gfi is freed again. //https://github.com/kohler/gifsicle/blob/master/src/gifread.c#L896
The text was updated successfully, but these errors were encountered: