1458122 - Potential double free bug in zonemeta.cpp (ICU4C)

Status: RESOLVED FIXED

(Core :: JavaScript: Internationalization API, defect, P3)

Description

[Paul Theriault [:pauljt] (no longer reading bugmail)]

Semmle has detected a potential double free bug in zonemeta.cpp. The mzMappings variable is deleted on line 692, and again on line 706. 

From https://searchfox.org/mozilla-central/source/intl/icu/source/i18n/zonemeta.cpp#692

    if (mzMappings == NULL) {
        mzMappings = new UVector(deleteOlsonToMetaMappingEntry, NULL, status);
        if (U_FAILURE(status)) {
            delete mzMappings;  // mzMappings is deleted here
            uprv_free(entry);
            break;
        }
    }

    mzMappings->addElement(entry, status);
    if (U_FAILURE(status)) {
        break;
    }
}
ures_close(mz);
if (U_FAILURE(status)) {
    if (mzMappings != NULL) {
        delete mzMappings; // we might try to delete mzMappings again

I don't know if/how an attacker might induce this case - there doesn't seem to be a lot of attack surface here, but I'm filing this to investigate further. I also note that this is similar but different to bug 1387937, which was another UAF found through a static analysis tool apparently.

Comment 1

[Makoto Kato [:m_kato]]

When UVector::UVector gets failed, malloc is failed (due to OOM) in UVector::UVector.  We should file a bug to ICU.

Comment 2

[Jason Orendorff [:jorendorff]]

Filed against ICU.

http://bugs.icu-project.org/trac/ticket/13749

I think this isn't sec-anything. Unless the last paragraph of comment 0 is still sensitive, we should open it.

Comment 3

[Jason Orendorff [:jorendorff]]

This has been fixed in upstream trunk. The fix will be in the next ICU release (62.1).

Comment 4

[Takanori MATSUURA]

ICU has been updated to 62.1 by bug 1466471.