CVE-2023-45664 Double-free in stbi__load_gif_main_outofmem in stb_image

2023-10-2023:26:40

CWE-415

GitHub_M

github.com

cve-2023-45664

double-free

stb_image

memory

multi-threaded

code execution

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

AI Score

7.1

Confidence

Low

EPSS

0.001

Percentile

44.9%

SSVC

Exploitation

poc

Automatable

yes

Technical Impact

partial

JSON

stb_image is a single file MIT licensed library for processing images. A crafted image file can trigger stbi__load_gif_main_outofmem attempt to double-free the out variable. This happens in stbi__load_gif_main because when the layers * stride value is zero the behavior is implementation defined, but common that realloc frees the old memory and returns null pointer. Since it attempts to double-free the memory a few lines below the first “free”, the issue can be potentially exploited only in a multi-threaded environment. In the worst case this may lead to code execution.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:nothings:stb_image:*:*:*:*:*:*:*:*"
    ],
    "vendor": "nothings",
    "product": "stb_image",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "2.28"
      }
    ],
    "defaultStatus": "unknown"
  }
]