libsixel Use-After-Free Vulnerability in GIF Loading Function

A use-after-free vulnerability has been identified in libsixel, a SIXEL encoder/decoder library, in versions through 1.8.7. The issue arises in the load_gif() function within fromgif.c, where a single sixel_frame_t object is reused for all frames of an animated GIF. The function gif_init_frame() frees and reallocates the frame's pixel data without checking for external references, leading to a dangling pointer. This vulnerability can be exploited by any application using sixel_helper_load_image_file() with a multi-frame callback to process user-supplied animated GIFs, causing at least a crash and potentially allowing for code execution.

Impact

Exploitation of this vulnerability causes a heap-use-after-free error, which can lead to a crash or potentially allow for code execution.

Reproduction

To reproduce this vulnerability, use the libsixel library to load an animated GIF file with at least two palettised frames. The callback function should retain a reference to the sixel_frame_t object and save the pointer to the pixel data. After the second frame is decoded, the saved pointer will become a dangling reference, leading to a use-after-free condition.

Remediation

Users should upgrade to libsixel version 1.8.7-r1, where this vulnerability has been fixed.