Bug 2246109 (CVE-2023-45666) - CVE-2023-45666 stb: memory access violation
Summary: CVE-2023-45666 stb: memory access violation
Status: NEW
Alias: CVE-2023-45666
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2246112 2246113 2246114
TreeView+ depends on / blocked
Reported: 2023-10-25 13:09 UTC by ybuenos
Modified: 2023-10-26 01:01 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description ybuenos 2023-10-25 13:09:32 UTC
stb_image is a single file MIT licensed library for processing images.  It may look like `stbi__load_gif_main` doesn’t give guarantees about the content of output value `*delays` upon failure. Although it sets `*delays` to zero at the beginning, it doesn’t do it in case the image is not recognized as GIF and a call to `stbi__load_gif_main_outofmem` only frees possibly allocated memory in `*delays` without resetting it to zero. Thus it would be fair to say the caller of `stbi__load_gif_main` is responsible to free the allocated memory in `*delays` only if `stbi__load_gif_main` returns a non null value. However at the same time the function may return null value, but fail to free the memory in `*delays` if internally `stbi__convert_format` is called and fails. Thus the issue may lead to a memory leak if the caller chooses to free `delays` only when `stbi__load_gif_main` didn’t fail or to a double-free if the `delays` is always freed


Comment 1 ybuenos 2023-10-25 13:11:39 UTC
Created assimp tracking bugs for this issue:

Affects: epel-8 [bug 2246114]

Created stb tracking bugs for this issue:

Affects: epel-all [bug 2246113]
Affects: fedora-all [bug 2246112]

Comment 2 Fedora Update System 2023-10-26 01:01:22 UTC
FEDORA-2023-58af3a2eca has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.