PHP 5.6.5 Double free with disabled ZMM

2015.03.10

Credit: internot

Risk: Medium

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

Description:
------------
Hi,
In /ext/fileinfo/libmagic/apprentice.c:
2609 if ((map = CAST(struct magic_map *, ecalloc(1, sizeof(*map)))) == NULL) {
2610 file_oomem(ms, sizeof(*map));
2611 efree(map);
2612 goto error;
2613 }
That goes to error:
2730error:
2731 if (stream) {
2732 php_stream_close(stream);
2733 }
2734 apprentice_unmap(map);
which as you can see, does a double free of 'map'.
The line in the apprentice_unmap function:
499 if (map == NULL)
is kind of useless, because even if it has already been freed, it won't be NULL(unless the php implementation of efree does something different?)
Thanks,

References:

http://seclists.org/oss-sec/2015/q1/789

https://bugs.php.net/bug.php?id=68827

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

PHP 5.6.5 Double free with disabled ZMM

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.