php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #68719 double free
Submitted: 2015-01-02 08:53 UTC Modified: 2015-01-05 16:36 UTC
From: bugreports at internot dot info Assigned:
Status: Not a bug Package: Zlib related
PHP Version: 5.4Git-2015-01-02 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bugreports at internot dot info
New email:
PHP Version: OS:

 

 [2015-01-02 08:53 UTC] bugreports at internot dot info
Description:
------------
Hi,

In /ext/zlib/zlib.c:


If this is true:
367                if ((max && (max <= buffer.used)) || !(buffer.aptr = erealloc_recoverable(buffer.data, buffer.size))) {
368                        status = Z_MEM_ERROR;

then this will execute:

393                if (buffer.data) {
394                        efree(buffer.data);
395                }


That if(buffer.data) statement will do nothing. It will always evaluate to NULL.


Thanks,








Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-03 05:30 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2015-01-03 05:30 UTC] stas@php.net
Not sure I understand how double free happens here. If condition on line 367 is true, that means 0 < max <= buffer.used, which means the loop runs at least once, i.e. buffer.data is not NULL. So it always frees it. But where is the second free?
 [2015-01-03 05:44 UTC] bugreports at internot dot info
-Status: Feedback +Status: Open
 [2015-01-03 05:44 UTC] bugreports at internot dot info
So apparently I sent this without enough sleep.

I assumed erealloc_recoverable() freed buffer.data.

But anyways, if not, there's a non-security related bug

The test here:


393                if (buffer.data) {
394                        efree(buffer.data);
395                }

is useless.

even if buffer.data = NULL, it should be freed, no?
Just as long as buffer.data has allocated memory, it shouldn't be.


Thanks,
 [2015-01-03 05:45 UTC] stas@php.net
-Status: Open +Status: Not a bug
 [2015-01-03 05:45 UTC] stas@php.net
If erealloc_recoverable frees the data, it returns another pointer to new allocated buffer. erealloc, just like emalloc, does not return nulls.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Feb 24 03:01:25 2020 UTC