PHP :: Sec Bug #68719 :: double free

Sec Bug #68719	double free
Submitted:	2015-01-02 08:53 UTC	Modified:	2015-01-05 16:36 UTC
From:	bugreports at internot dot info	Assigned:
Status:	Not a bug	Package:	Zlib related
PHP Version:	5.4Git-2015-01-02 (Git)	OS:	Linux Ubuntu 14.04
Private report:	No	CVE-ID:	None

View Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 48 - 14 = ?
Subscribe to this entry?

[2015-01-02 08:53 UTC] bugreports at internot dot info

Description:
------------
Hi,

In /ext/zlib/zlib.c:


If this is true:
367                if ((max && (max <= buffer.used)) || !(buffer.aptr = erealloc_recoverable(buffer.data, buffer.size))) {
368                        status = Z_MEM_ERROR;

then this will execute:

393                if (buffer.data) {
394                        efree(buffer.data);
395                }


That if(buffer.data) statement will do nothing. It will always evaluate to NULL.


Thanks,

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-01-03 05:30 UTC] stas@php.net

-Status: Open +Status: Feedback

[2015-01-03 05:30 UTC] stas@php.net

Not sure I understand how double free happens here. If condition on line 367 is true, that means 0 < max <= buffer.used, which means the loop runs at least once, i.e. buffer.data is not NULL. So it always frees it. But where is the second free?

[2015-01-03 05:44 UTC] bugreports at internot dot info

-Status: Feedback +Status: Open

[2015-01-03 05:44 UTC] bugreports at internot dot info

So apparently I sent this without enough sleep.

I assumed erealloc_recoverable() freed buffer.data.

But anyways, if not, there's a non-security related bug

The test here:


393                if (buffer.data) {
394                        efree(buffer.data);
395                }

is useless.

even if buffer.data = NULL, it should be freed, no?
Just as long as buffer.data has allocated memory, it shouldn't be.


Thanks,

[2015-01-03 05:45 UTC] stas@php.net

-Status: Open +Status: Not a bug

[2015-01-03 05:45 UTC] stas@php.net

If erealloc_recoverable frees the data, it returns another pointer to new allocated buffer. erealloc, just like emalloc, does not return nulls.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 31 06:00:01 2025 UTC