Closed AiDaiP closed 2 years ago
Very cool find! This one is hard to diagnose though. In looking at the code I do see that line 1225, and hence line 1243 with Fclose(fp), can be reached even when fp is not set on line 1207, e.g. when "must_preprocess" is non-zero. And, since fp is not initialized in the declaration, the pointer could have an arbitrary value from a previous call, that could then lead to the double fclose. It's a bizarre scenario, but possible. I fixed it by initializing fp to NULL in the declaration (which would have been required in any case). I wonder if the fuzzer can still find a path? Excellent report -- thank you for all your efforts!
Use After Free
Description
I am learning model checking. But I run a fuzzer for fun today.
My fuzzer has found a Use After Free in modex.
The chunk 0x5555555b96b0 was freed.Then the tcache key was covered and the chunk was freed again.
version
acfa291
System information Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
poc
command
Result
gdb
watch *0x5555555b96b0
c 34
n