Google SANM Decoder Use-After-Free Vulnerability in Animation Subversion Prior to 2

A use-after-free write vulnerability has been identified in the SANM decoding process for animations using subversion prior to 2. When a STOR chunk is present, a subsequent FOBJ chunk is saved in the context's stored_frame. This stored frame can later be accessed by FTCH chunks. However, for files with subversion prior to 2, the frame is stored undecoded and then decoded when FTCH chunks are processed. If the frame size is invalid, the decoding process returns early, but the raw frame buffer is still stored, leaving the context's dimension flag false. When an FTCH chunk is later processed, the missing dimensions are set, which can trigger a buffer reallocation that frees the old buffer while a reference to it is still held. This mismanagement can lead to a use-after-free read, potentially allowing codecs that read bytes to access invalid data. Although this read could be exploited to corrupt allocator metadata by writing to the freed memory, the vulnerability can be triggered simply by checking if a file is in the SANM format.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where freed memory is accessed, potentially allowing for memory corruption or manipulation of program execution.

Reproduction

The vulnerability can be reproduced by creating a SANM file with a STOR chunk followed by an FOBJ chunk that has an invalid size. When this file is decoded, the invalid frame size will cause an early return, but the raw frame buffer will still be stored in the context's stored_frame. Afterward, processing an FTCH chunk will trigger the vulnerability by causing a use-after-free read, as the context will have been updated to reference a new buffer while the old one has been freed. This can be done by probing whether a file has the SANM format, which will trigger the vulnerability if the conditions are met.

Remediation

Users are advised to upgrade to version 8.0 or later.