PHP :: Sec Bug #68719 :: double free

Sec Bug #68719	double free
Submitted:	2015-01-02 08:53 UTC	Modified:	2015-01-05 16:36 UTC
From:	bugreports at internot dot info	Assigned:
Status:	Not a bug	Package:	Zlib related
PHP Version:	5.4Git-2015-01-02 (Git)	OS:	Linux Ubuntu 14.04
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bugreports at internot dot info
New email:
PHP Version:		OS:

New Comment:

[2015-01-02 08:53 UTC] bugreports at internot dot info

Description:
------------
Hi,

In /ext/zlib/zlib.c:


If this is true:
367                if ((max && (max <= buffer.used)) || !(buffer.aptr = erealloc_recoverable(buffer.data, buffer.size))) {
368                        status = Z_MEM_ERROR;

then this will execute:

393                if (buffer.data) {
394                        efree(buffer.data);
395                }


That if(buffer.data) statement will do nothing. It will always evaluate to NULL.


Thanks,

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-01-03 05:30 UTC] stas@php.net

-Status: Open +Status: Feedback

[2015-01-03 05:30 UTC] stas@php.net

Not sure I understand how double free happens here. If condition on line 367 is true, that means 0 < max <= buffer.used, which means the loop runs at least once, i.e. buffer.data is not NULL. So it always frees it. But where is the second free?

[2015-01-03 05:44 UTC] bugreports at internot dot info

-Status: Feedback +Status: Open

[2015-01-03 05:44 UTC] bugreports at internot dot info

So apparently I sent this without enough sleep.

I assumed erealloc_recoverable() freed buffer.data.

But anyways, if not, there's a non-security related bug

The test here:


393                if (buffer.data) {
394                        efree(buffer.data);
395                }

is useless.

even if buffer.data = NULL, it should be freed, no?
Just as long as buffer.data has allocated memory, it shouldn't be.


Thanks,

[2015-01-03 05:45 UTC] stas@php.net

-Status: Open +Status: Not a bug

[2015-01-03 05:45 UTC] stas@php.net

If erealloc_recoverable frees the data, it returns another pointer to new allocated buffer. erealloc, just like emalloc, does not return nulls.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 13:01:30 2024 UTC