By Lance Jiang and Jesse Chang
CVE-2019-11932, which is a vulnerability in WhatsApp for Android, was first disclosed to the public on October 2, 2019 after a researcher named Awakened discovered that attackers could use maliciously crafted GIF files to allow remote code execution. The vulnerability was patched with version 2.19.244 of WhatsApp, but the underlying problem lies in the library called libpl_droidsonroids_gif.so, which is part of the android-gif-drawable package. While this flaw has also been patched, many applications still use the older version and remain at risk.
Technical details
A GIF file will be resolved by the allocation of GifInfo *info, and then the stored frames are read one by one. Every frame will use the info->rasterBits pointer and call reallocarray(info->rasterBits,size,), and realloc will succeed and the info->rasterBits pointer will be flushed if size is not 0. However, if size is 0, realloc will fail, the info->rasterBits pointer will not be flushed, and it will be free. For example, when we get the first frame, the size is not 0, we get a new info->rasterBits pointer. If the next two frame sizes are both 0, the reallocarry() function will free the same info->rasterBits pointer twice, which could lead to a double-free vulnerability. The issue code can be found when libpl_droidsonroids_gif.so is decompiled:
Figure 1. Source code for memory allocation during frame retrieval
The variable v25 represents v24*v23, which is the frame’s width and height. However, it never checks whether the value is zero. When the result is ..
Support the originator by clicking the read the rest link below.
