Headline
CVE-2022-0699: Double-free vulnerability in contrib/shpsort.c · Issue #39 · OSGeo/shapelib
A double-free condition exists in contrib/shpsort.c of shapelib 1.5.0 and older releases. This issue may allow an attacker to cause a denial of service or have other unspecified impact via control over malloc.
Summary
The buffer copy is freed twice, leading to possible memory corruption or vulnerability.
Cause
In split(), at shpsort.c:107, the buffer copy is free’d. realloc() fails on line 110, the buffer copy is freed again at shpsort.c:116.
Impact
A double-free bug can lead to an attacker gaining control over the values returned from malloc(), which in turn may allow both disclosure of sensitive data (e.g. bypassing additional safety features) or in the worst case hostile code execution.
Vulnerable version
- contrib/shpsort (commit 21ae8fc)
Proposed mitigation
Remove line 116, as it is redundant.