PHP 5.6.5 Double free with disabled ZMM

2015.03.10

Credit: internot

Risk: Medium

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

Description:
------------
Hi,

In /ext/fileinfo/libmagic/apprentice.c:

2609        if ((map = CAST(struct magic_map *, ecalloc(1, sizeof(*map)))) == NULL) {
2610                file_oomem(ms, sizeof(*map));
2611                efree(map);
2612                goto error;
2613        }

That goes to error:

2730error:
2731        if (stream) {
2732                php_stream_close(stream);
2733        }
2734        apprentice_unmap(map);

which as you can see, does a double free of 'map'.

The line in the apprentice_unmap function:
499        if (map == NULL)
is kind of useless, because even if it has already been freed, it won't be NULL(unless the php implementation of efree does something different?)


Thanks,

References:

http://seclists.org/oss-sec/2015/q1/789

https://bugs.php.net/bug.php?id=68827

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

PHP 5.6.5 Double free with disabled ZMM

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.