| + |
The libcurl API function called curl_maprintf() can be tricked into doing a double-free due to an unsafe size_t multiplication, on systems using 32 bit size_t variables. The function is also used internally in numerous situations. |
| + |
|
| + |
The function doubles an allocated memory area with realloc() and allows the size to wrap and become zero and when doing so realloc() returns NULL and frees the memory - in contrary to normal realloc() fails where it only returns NULL - causing libcurl to free the memory again in the error path. |
| + |
|
| + |
This behavior is triggerable using the publicly exposed function. Systems with 64 bit versions of the size_t type are not affected by this issue. |