Zero fields after g_free to avoid double-free (!74) · Merge requests · GNOME / gexiv2

Kevin Backhouse requested to merge kevin.backhouse/gexiv2:fix-double-free into master Jun 04, 2023

This fixes a bug that was discovered in gimp: gimp#8816 (closed) It was reported to the Exiv2 project, which is how I became aware of it: https://github.com/Exiv2/exiv2/issues/2566

The bug is a double-free. Here's a brief description of what happens when you run the reproduction steps described in gimp issue 8816:

The image contains invalid metadata which causes the call to getPreviewProperties() at line 383 to throw an exception.
The exception is caught and the preview_manager field is deleted, but not zeroed.
gexiv2_metadata_finalize is called and the preview_manager field is deleted a second time.

I have fixed the bug by zeroing the fields after they are freed.

P.S. I think it might be worth issuing a CVE for this bug, because a double-free is a memory corruption bug that could potentially be exploited. The gimp issue shows that the bug can be triggered by loading an invalid image file in gimp.

Zero fields after g_free to avoid double-free

Merge request reports