Double-free vulnerability in contrib/shpsort.c #39
Comments
|
Instead of opening the issue, a pull request could be a time saver |
eldstal
added a commit
to eldstal/shapelib
that referenced
this issue
Jan 3, 2022
This fixes issue OSGeo#39
|
Fair point. |
rouault
added a commit
that referenced
this issue
Jan 3, 2022
Remove double free() in contrib/shpsrt, issue #39
|
This vulnerability has been assigned CVE-2022-0699 by the Red Hat CNA. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
The buffer
copyis freed twice, leading to possible memory corruption or vulnerability.Cause
In
split(), at shpsort.c:107, the buffercopyis free'd.realloc()fails on line 110, the buffercopyis freed again at shpsort.c:116.Impact
A double-free bug can lead to an attacker gaining control over the values returned from
malloc(), which in turn may allow both disclosure of sensitive data (e.g. bypassing additional safety features) or in the worst case hostile code execution.Vulnerable version
Proposed mitigation
Remove line 116, as it is redundant.
The text was updated successfully, but these errors were encountered: