Description
./upx.out --version
upx 3.95-git-d9288213ec15
this is a bug in decompression (upx -d or upx -t) , it's more significant that bugs in compression.
crash when try to free an invalid pointer , the mem.cpp detect invalid double free and throw an exception (SIGABRT)
#9 0x0000000000465a65 in throwInternalError (msg=msg@entry=0x67a348 "memory clobbered past end of allocated block") at except.cpp:155
#10 0x00000000004dacce in MemBuffer::checkState (this=0x7fffffffd360) at mem.cpp:180
#11 MemBuffer::dealloc (this=0x7fffffffd360) at mem.cpp:92
#12 MemBuffer::~MemBuffer (this=0x7fffffffd360, __in_chrg=) at mem.cpp:73
#13 0x00000000005045bc in PackLinuxElf64::unpack (this=, fo=) at p_lx_elf.cpp:3923
when an attacker could make a fake chunk in that pointer , it caused a double-free vulnerability
and attacker is able to make a code execution.
