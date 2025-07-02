This post is partially an analysis of a double-free vulnerability (CVE-2019-11932) in an image processing library used by WhatsApp and partially a reference for on-device harness development when fuzzing native libraries on Android. I first learned of this vulnerability by reading a blog post from Awakened, the researcher who disclosed the issue. The author did not elaborate on how this issue was found, and I wanted to understand how hard it would be to rediscover the bug. As we will see, the vulnerability itself is fairly shallow and is easy to reproduce by fuzzing the vulnerable library with AFL++.

This CVE is particularly interesting because the vulnerable library code (android-gif-drawable < v1.2.18) could be triggered remotely by sending someone a malformed GIF file. This primitive was not perfect as it relied on the target taking some manual actions, like opening the WhatsApp image gallery. Additionally, this vulnerability would only be part of a larger component chain that would include additional vulnerabilities, for example, to perform information leaks and to escalate privileges. Still, these types of vulnerabilities are rare and expensive because of the potential human intelligence value they provide. This case also illustrates why it is so important that applications audit the libraries they include in their code base. Large enterprises should perhaps do more to contribute to and improve the security of Open-Source Software (OSS) they employ in their products. A more recent, analogous example resulted in the disclosure of five vulnerabilities in libxml2.

