Nothings Stb Double Free Vulnerability in Multi-frame GIF Handler

A double-free vulnerability has been identified in Nothings stb versions through 2.30, specifically within the function 'stbi__load_gif_main' in 'stb_image.h'. This issue arises when the function reallocates the output buffer for multi-frame GIFs. If the reallocation frees the old buffer and a subsequent realloc fails, the function mistakenly calls 'STBI_FREE' on the already-freed pointer, leading to a double-free condition. This vulnerability requires local access to exploit and could potentially allow for code execution through heap corruption, after causing a crash.

Impact

Exploitation of this vulnerability causes a crash, but also leads to a double-free condition that could be exploited for arbitrary code execution via heap corruption.

Reproduction

The vulnerability can be reproduced by compiling a program with AddressSanitizer enabled that uses the 'stbi_load_gif_from_memory' function to load a crafted GIF file. The crafted GIF should be base64-encoded and designed to trigger the double-free condition by causing a memory reallocation that frees the old buffer, followed by a failure that leaves the function with a dangling pointer.