There exists a use after free/double free in libwebp. An attacker can use theย ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 999 | all | firefox | <ย 112.0-1 | firefox_112.0-1_all.deb |
Debian | 12 | all | firefox-esr | <ย 102.10.0esr-1 | firefox-esr_102.10.0esr-1_all.deb |
Debian | 11 | all | firefox-esr | <ย 102.10.0esr-1~deb11u1 | firefox-esr_102.10.0esr-1~deb11u1_all.deb |
Debian | 10 | all | firefox-esr | <ย 102.10.0esr-1~deb10u1 | firefox-esr_102.10.0esr-1~deb10u1_all.deb |
Debian | 999 | all | firefox-esr | <ย 102.10.0esr-1 | firefox-esr_102.10.0esr-1_all.deb |
Debian | 13 | all | firefox-esr | <ย 102.10.0esr-1 | firefox-esr_102.10.0esr-1_all.deb |
Debian | 12 | all | libwebp | <ย 1.2.4-0.2 | libwebp_1.2.4-0.2_all.deb |
Debian | 11 | all | libwebp | <ย 0.6.1-2.1+deb11u1 | libwebp_0.6.1-2.1+deb11u1_all.deb |
Debian | 10 | all | libwebp | <ย 0.6.1-2+deb10u2 | libwebp_0.6.1-2+deb10u2_all.deb |
Debian | 999 | all | libwebp | <ย 1.2.4-0.2 | libwebp_1.2.4-0.2_all.deb |