FreeImage Use-After-Free Vulnerability in TGA Plugin

A use-after-free vulnerability has been identified in FreeImage version 3.18.0, specifically within the TGA image loading plugin. The issue arises in the 'loadRLE' function, where the memory for a bitmap is freed prematurely if an error occurs. However, the calling function retains a pointer to the freed memory and uses it in subsequent operations, which can lead to a crash or potentially allow arbitrary code execution.

Impact

Exploitation of this vulnerability causes a crash due to an access violation from reading freed memory. However, this use-after-free condition could be leveraged to write to arbitrary memory locations, with the potential for remote code execution.

Reproduction

The vulnerability can be reproduced by loading a crafted TGA image with RLE compression into FreeImage 3.18.0. When the 'loadRLE' function encounters an error, it frees the bitmap memory but leaves a dangling pointer. The 'Load' function then accesses this pointer during image processing, leading to a crash. This can be automated with a proof-of-concept program that loads the malicious TGA file.