|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #68719 double free
Submitted: 2015-01-02 08:53 UTC Modified: 2015-01-05 16:36 UTC
From: bugreports at internot dot info Assigned:
Status: Not a bug Package: Zlib related
PHP Version: 5.4Git-2015-01-02 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
20 + 35 = ?
Subscribe to this entry?

 [2015-01-02 08:53 UTC] bugreports at internot dot info

In /ext/zlib/zlib.c:

If this is true:
367                if ((max && (max <= buffer.used)) || !(buffer.aptr = erealloc_recoverable(, buffer.size))) {
368                        status = Z_MEM_ERROR;

then this will execute:

393                if ( {
394                        efree(;
395                }

That if( statement will do nothing. It will always evaluate to NULL.



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-03 05:30 UTC]
-Status: Open +Status: Feedback
 [2015-01-03 05:30 UTC]
Not sure I understand how double free happens here. If condition on line 367 is true, that means 0 < max <= buffer.used, which means the loop runs at least once, i.e. is not NULL. So it always frees it. But where is the second free?
 [2015-01-03 05:44 UTC] bugreports at internot dot info
-Status: Feedback +Status: Open
 [2015-01-03 05:44 UTC] bugreports at internot dot info
So apparently I sent this without enough sleep.

I assumed erealloc_recoverable() freed

But anyways, if not, there's a non-security related bug

The test here:

393                if ( {
394                        efree(;
395                }

is useless.

even if = NULL, it should be freed, no?
Just as long as has allocated memory, it shouldn't be.

 [2015-01-03 05:45 UTC]
-Status: Open +Status: Not a bug
 [2015-01-03 05:45 UTC]
If erealloc_recoverable frees the data, it returns another pointer to new allocated buffer. erealloc, just like emalloc, does not return nulls.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Thu Feb 02 22:03:49 2023 UTC