#83 Use-after-free / Double-Free in gifcolor

[jfeist]

Hi,

Multiple use-after-free / double-free were found in gifcolor.c (version 5.1.2)

Two possible consecutives calls to EGifCloseFile at line 122 and 124, with the same first parameter (GifFile) could lead to two calls to free(GifFile) / free(Private->HashTable) / free(Private)

In particular, the second call of free(GifFile) appears at line 802 of egif_lib.c (there is no check to know if 'ErrorCode!=NULL' for this free)

Since Private is free with the first call to EGifCloseFile, and use during the second call, this is also a use-after-free.

A fix could be simply to remove the second call to EGifCloseFile.

Theses issues were found with the help of the static analyzer GUEB

Best regards,
Josselin Feist

[Eric S. Raymond]

Fixed, thanks.

[jfeist]

Since it's fixed, should it be possible to set the ticket as public ?

Thanks !

[Henri Salo]

Use CVE-2016-3177.

CVE request: http://www.openwall.com/lists/oss-security/2016/03/16/6
CVE assigned: http://www.openwall.com/lists/oss-security/2016/03/16/12

[Natanael Copa]

Which version of gitlib has the fix? Do you have a link to the exact commit(s) that fixes this issue, in case we need to backport it?

[Natanael Copa]

Ok, i found in in NEWS:

* Remove unnecessary duplicate EGifClose() in gifcolor.c. Fixes SF bug #83
  introduced in 5.1.2.

So CVE-2016-3177 was introduced in 5.1.2 and resolved in 5.1.3.