Bugtraq mailing list archives

Re: VNC Security Bulletin - zlib double free issue (multiple vendors and versions)

From: Anthony DeRobertis <asd () suespammers org>
Date: Fri, 5 Apr 2002 05:21:19 -0500


On Friday, April 5, 2002, at 03:13 AM, Andrew van der Stock wrote:

Apple's statement is: "Mac OS X and Mac OS X Server do not contain this

vulnerability." Does MacOS X and MacOS X Server even have acopy of zlib

(ie libz.so) by default? Or is down to the FreeBSD malloc / free
behavior of MacOS X? Hard to say - not a lot of information to go on.


I'm pretty sure it's the FreeBSD behavior that protects it because:

        Mac OS X includes libz:

/System/Library/Frameworks/JavaVM.framework/Versions/1.3.1/Libraries/libzip.
jnilib
/usr/lib/libz.1.1.3.dylib
/usr/lib/libz.1.dylib
/usr/lib/libz.dylib

The following program does not crash, and indeed producesthe warning messages that FreeBSD describes it should:


#include <stdlib.h>

int main() {
    void *ptr;
    int x;
    for (x = 0; x < 10000; ++x) {
        ptr = malloc(123456);
        free(ptr);
        free(ptr);
    }
    return 0;
}

It produces these warnings:

*** malloc[27202]: Deallocation of a pointer not malloced:0x84000; This could be a double free(), or free() called withthe middle of an allocated block; Try setting environmentvariable MallocHelp to see tools to help debug

(many, many times)

Current thread:

VNC Security Bulletin - zlib double free issue (multiple vendors and versions) Andrew van der Stock (Apr 02)
- Re: VNC Security Bulletin - zlib double free issue (multiple vendors and versions) Anthony DeRobertis (Apr 05)
  - RE: VNC Security Bulletin - zlib double free issue (multiple vendors and versions) Andrew van der Stock (Apr 05)
    - Re: VNC Security Bulletin - zlib double free issue (multiple vendors and versions) Anthony DeRobertis (Apr 05)
    - Re: VNC Security Bulletin - zlib double free issue (multiple vendors and versions) Nick Lamb (Apr 08)