PHP 5.6.5 Double free with disabled ZMM

2015.03.10
Credit: internot
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Description: ------------ Hi, In /ext/fileinfo/libmagic/apprentice.c: 2609 if ((map = CAST(struct magic_map *, ecalloc(1, sizeof(*map)))) == NULL) { 2610 file_oomem(ms, sizeof(*map)); 2611 efree(map); 2612 goto error; 2613 } That goes to error: 2730error: 2731 if (stream) { 2732 php_stream_close(stream); 2733 } 2734 apprentice_unmap(map); which as you can see, does a double free of 'map'. The line in the apprentice_unmap function: 499 if (map == NULL) is kind of useless, because even if it has already been freed, it won't be NULL(unless the php implementation of efree does something different?) Thanks,

References:

http://seclists.org/oss-sec/2015/q1/789
https://bugs.php.net/bug.php?id=68827


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top