libsixel Use-After-Free Vulnerability in GDK-Pixbuf2 Loader

A use-after-free vulnerability has been identified in libsixel versions through 1.8.7, when built with GDK-Pixbuf2 support. The issue arises in the 'load_with_gdkpixbuf()' function, where a 'sixel_frame_t' object is created using a reference-counted constructor and then improperly freed without considering the reference count. This flaw can be exploited by an attacker supplying a crafted image, potentially leading to information disclosure, memory corruption, or arbitrary code execution.

Impact

Exploitation of this vulnerability can cause a use-after-free condition, allowing for potential information disclosure, memory corruption, or arbitrary code execution, depending on the heap layout.

Reproduction

To reproduce this vulnerability, compile libsixel with the GDK-Pixbuf2 option. Then, use the 'sixel_helper_load_image_file()' function to load a crafted image file. The 'load_with_gdkpixbuf()' function will create a 'sixel_frame_t' object, which is then freed without properly managing its reference count. After the function returns, any access to the frame object will result in a use-after-free error, as confirmed by AddressSanitizer.

Remediation

Users can upgrade to libsixel version 1.8.7-r1 to address this vulnerability.