Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I have come across a double free in jpegoptim. Please see the ASAN report below.
The crash file test case can be found here.
This was found in commit d23abf2.
The command to compile the binary is as follows: CC=clang CXX=clang++ CFLAGS='-fsanitize=address,undefined -g -O2' CXXFLAGS=$CFLAGS make
CC=clang CXX=clang++ CFLAGS='-fsanitize=address,undefined -g -O2' CXXFLAGS=$CFLAGS make
This double-free could be used to assist in exploiting the software via heap manipulation resulting in code execution.
================================================================= ==24775==ERROR: AddressSanitizer: attempting double-free on 0x62d00000a400 in thread T0: #0 0x4c4780 (/root/jpegoptim/jpegoptim_afl+0x4c4780) #1 0x4f9c60 (/root/jpegoptim/jpegoptim_afl+0x4f9c60) #2 0x7f9a700c1f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #3 0x41a765 (/root/jpegoptim/jpegoptim_afl+0x41a765) 0x62d00000a400 is located 0 bytes inside of 39485-byte region [0x62d00000a400,0x62d000013e3d) freed by thread T0 here: #0 0x4c4e6d (/root/jpegoptim/jpegoptim_afl+0x4c4e6d) #1 0x4faf9b (/root/jpegoptim/jpegoptim_afl+0x4faf9b) previously allocated by thread T0 here: #0 0x4c4ac8 (/root/jpegoptim/jpegoptim_afl+0x4c4ac8) #1 0x4f7078 (/root/jpegoptim/jpegoptim_afl+0x4f7078) #2 0x7f9a700c1f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) SUMMARY: AddressSanitizer: double-free (/root/jpegoptim/jpegoptim_afl+0x4c4780) ==24775==ABORTING
The text was updated successfully, but these errors were encountered:
Thanks, looks like recent merge 139a558 introduced this. Fix has been checked-in.
Sorry, something went wrong.
Issue wasn't technically "double-free" but realloc() and free() using now stale pointer...
Fix was to update the pointer to the buffer after realloc(): 5b38e8e
No branches or pull requests
I have come across a double free in jpegoptim. Please see the ASAN report below.
The crash file test case can be found here.
This was found in commit d23abf2.
The command to compile the binary is as follows:
CC=clang CXX=clang++ CFLAGS='-fsanitize=address,undefined -g -O2' CXXFLAGS=$CFLAGS makeThis double-free could be used to assist in exploiting the software via heap manipulation resulting in code execution.
The text was updated successfully, but these errors were encountered: