According to the C standard [ISO/IEC 9899-19992011], the behavior of a program that uses the value of a pointer that refers to space deallocated by a call to the free() or realloc() function is undefined . (See undefined behavior 168 of Annex J.)
...
In this noncompliant example (CVE-2009-1364) from libwmf version 0.2.8.4, the return value of gdRealloc (a simple wrapper around realloc which reallocates space pointed to by im->clip->list) is set to more. However, the value of im->clip->list is used directly afterwards in the code, and ISO/IEC 9899:19992011 specifies that if realloc moves the area pointed to, then the original is freed. An attacker can then execute arbitrary code by forcing a reallocation (with a sufficient im->clip->count) and accessing freed memory [xorl 2009].
| Code Block | ||||
|---|---|---|---|---|
| ||||
void gdClipSetAdd(gdImagePtr im,gdClipRectanglePtr rect) {
gdClipRectanglePtr more;
if (im->clip == 0) {
...
}
if (im->clip->count == im->clip->max) {
more = gdRealloc (im->clip->list,(im->clip->max + 8) *
sizeof (gdClipRectangle));
if (more == 0) return; //if the realloc fails, then we have not lost the im->clip->list value
im->clip->max += 8;
}
im->clip->list[im->clip->count] = (*rect);
im->clip->count++;
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
void gdClipSetAdd(gdImagePtr im,gdClipRectanglePtr rect) {
gdClipRectanglePtr more;
if (im->clip == 0) {
...
}
if (im->clip->count == im->clip->max) {
more = gdRealloc (im->clip->list,(im->clip->max + 8) *
sizeof (gdClipRectangle));
if (more == 0) return;
im->clip->max += 8;
im->clip->list = more;
}
im->clip->list[im->clip->count] = (*rect);
im->clip->count++;
|
...
CERT C++ Secure Coding Standard: MEM30-CPP. Do not access freed memory
ISO/IEC 9899:19992011 Section 7.2022.3.23, "The free function"
ISO/IEC TR 17961 Accessing freed memory [accfree]
ISO/IEC TR 24772 "DCM Dangling references to stack frames" and "XYK Dangling Reference to Heap"
...