Page History

In this noncompliant example ([CVE-2009-1364|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1364]) from {{libwmf}} version 0.2.8.4, the return value of {{gdRealloc}} (a simple wrapper around {{realloc}} which reallocates space pointed to by {{im->clip->list}}) is set to {{more}}. However, the value of {{im->clip->list}} is used directly afterwards in the code, and the[ISO/IEC 9899:1999|AA. C Standard References#ISO/IEC 9899-1999] specifies that if {{realloc}} moves the area pointed to, then the original is freed. An attacker can then execute arbitrary code by forcing a reallocation (with a sufficient {{im->clip->count}}) and accessing freed memory \[[xorl 2009|AA. C References#xorl 2009-1364/]\].