New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Double-free vulnerability in contrib/shpsort.c #39
Comments
|
Instead of opening the issue, a pull request could be a time saver |
eldstal
added a commit
to eldstal/shapelib
that referenced
this issue
Jan 3, 2022
This fixes issue OSGeo#39
|
Fair point. |
rouault
added a commit
that referenced
this issue
Jan 3, 2022
Remove double free() in contrib/shpsrt, issue #39
|
This vulnerability has been assigned CVE-2022-0699 by the Red Hat CNA. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
The buffer
copyis freed twice, leading to possible memory corruption or vulnerability.Cause
In
split(), at shpsort.c:107, the buffercopyis free'd.realloc()fails on line 110, the buffercopyis freed again at shpsort.c:116.Impact
A double-free bug can lead to an attacker gaining control over the values returned from
malloc(), which in turn may allow both disclosure of sensitive data (e.g. bypassing additional safety features) or in the worst case hostile code execution.Vulnerable version
Proposed mitigation
Remove line 116, as it is redundant.
The text was updated successfully, but these errors were encountered: