PHP :: Bug #68717 :: use after free

Bug #68717	use after free
Submitted:	2015-01-02 08:43 UTC	Modified:	2016-07-23 15:20 UTC
From:	bugreports at internot dot info	Assigned:	cmb (profile)
Status:	Not a bug	Package:	GD related
PHP Version:	master-Git-2015-01-02 (Git)	OS:	Linux Ubuntu 14.04
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bugreports at internot dot info
New email:
PHP Version:		OS:

New Comment:

[2015-01-02 08:43 UTC] bugreports at internot dot info

Description:
------------
Hi,

In /ext/gd/libgd/gd_io_dp.c:

if this goes to the false branch:

333        if ((newPtr = gdRealloc(dp->data, required))) {
334                dp->realSize = required;
335                dp->data = newPtr;
336                return TRUE;
337        }

the fact there is code after this, makes me think it is possible for this to happen:

'dp->data' will be freed but not re-allocated.

It is then used here:
343        memcpy(newPtr, dp->data, dp->logicalSize);

which will cause a use-after-free bug.



Thanks,

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-05-27 15:37 UTC] php at mcq8 dot be

If the gdRealloc fails, the 'dp->data' is untouched (http://linux.die.net/man/3/realloc).
So this is not a bug and should be closed.

[2016-07-23 15:20 UTC] cmb@php.net

-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb

[2016-07-23 15:20 UTC] cmb@php.net

Indeed. Thanks!

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jun 03 08:01:25 2025 UTC