PHP :: Bug #68717 :: use after free

Bug #68717	use after free
Submitted:	2015-01-02 08:43 UTC	Modified:	2016-07-23 15:20 UTC
From:	bugreports at internot dot info	Assigned:	cmb (profile)
Status:	Not a bug	Package:	GD related
PHP Version:	master-Git-2015-01-02 (Git)	OS:	Linux Ubuntu 14.04
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2015-01-02 08:43 UTC] bugreports at internot dot info

Description:
------------
Hi,

In /ext/gd/libgd/gd_io_dp.c:

if this goes to the false branch:

333        if ((newPtr = gdRealloc(dp->data, required))) {
334                dp->realSize = required;
335                dp->data = newPtr;
336                return TRUE;
337        }

the fact there is code after this, makes me think it is possible for this to happen:

'dp->data' will be freed but not re-allocated.

It is then used here:
343        memcpy(newPtr, dp->data, dp->logicalSize);

which will cause a use-after-free bug.



Thanks,

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-05-27 15:37 UTC] php at mcq8 dot be

If the gdRealloc fails, the 'dp->data' is untouched (http://linux.die.net/man/3/realloc).
So this is not a bug and should be closed.

[2016-07-23 15:20 UTC] cmb@php.net

-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb

[2016-07-23 15:20 UTC] cmb@php.net

Indeed. Thanks!

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 16:01:27 2024 UTC