Nothings Stb Use-After-Free Vulnerability in GIF Decoder Leading to Denial-of-Service

A use-after-free vulnerability exists in Nothings stb versions through 2.30, specifically in the GIF decoding function 'stbi__gif_load_next' within the 'stb_image.h' library. This vulnerability allows for denial-of-service conditions by crashing the application. The issue can be exploited remotely by sending a crafted multi-frame GIF file, taking advantage of the way the library handles image data. When the same GIF is processed multiple times through different loading functions, the decoder can mistakenly reference freed memory, potentially leading to a crash or, depending on the memory management, arbitrary code execution.

Impact

Exploitation of this vulnerability causes a crash, creating a denial-of-service condition. However, it could also allow an attacker to read freed memory, leading to information disclosure, or potentially execute arbitrary code, depending on the heap layout and allocator behavior.

Reproduction

The vulnerability can be reproduced by decoding a base64-encoded GIF file that has been crafted to exploit the use-after-free condition. After decoding the GIF, the 'stbi_load_16_from_memory' function is called, which frees the internal GIF buffer. A subsequent call to 'stbi_load_gif_from_memory' with the same input reuses the freed context, causing the 'two_back' pointer in 'stbi__gif_load_next' to reference freed heap memory, which can be exploited to create a use-after-free condition.