A use-after-free which leads to double-free vulnerability was found in Jasper JPEG-2000 library, in src/libjasper/mif/mif_cod.c file.
553 case MIF_HSAMP:
554 cmpt->sampperx = atoi(jas_tvparser_getval(tvp));
555 break;
556 case MIF_VSAMP:
557 cmpt->samppery = atoi(jas_tvparser_getval(tvp));
558 break;
572 jas_tvparser_destroy(tvp);
573 if (!cmpt->sampperx || !cmpt->samppery) {
574 goto error;
575 }
576 if (mif_hdr_addcmpt(hdr, hdr->numcmpts, cmpt)) {
577 goto error;
578 }
579 return 0;
580
581 error:
582 if (cmpt) {
583 mif_cmpt_destroy(cmpt);
584 }
585 if (tvp) {
586 jas_tvparser_destroy(tvp);
587 }
588 return -1;
Both tvp and tvp->buf are freed by jas_tvparser_destroy(tvp), but if one of the two following branch conditions is taken, a second call to jas_tvparser_destroy(tvp) occurs. It is a use-after-free because before calling free in jas_tvparser_destroy there is a check to tvp->buf, while tvp could have been freed. Two double free take place just after this check (on tvp->buf and tvp).
Public via:
http://seclists.org/oss-sec/2015/q3/408
Acknowledgements:
Name: Josselin Feist