Re: ZLib double free bug: Windows NT potentially unaffected

[Martijn Lievaart <m () rtij nl>]

Robert Collins wrote:
> > -----Original Message-----
> > From: KJK::Hyperion [mailto:noog () libero it] 
> > Sent: Friday, March 15, 2002 4:52 AM
> > To: bugtraq () securityfocus com
> > Subject: ZLib double free bug: Windows NT potentially unaffected
> >
> > I allocate 4 kb of memory, then I free the block twice. Under 
> > debugging, 
> > this program will emit the following diagnostic message:
> >
> > HEAP[testheap.exe]: Invalid Address specified to RtlFreeHeap( 
> > 130000, 1357f0 )
> >
> > immediately after this, a breakpoint exception (code 
> > 0x80000003) is raised. 
> > So, apparently, the second free operation degrades 
> > gracefully, apparently 
> > without any corruption of in-memory structures, since the subsequent 
> > allocation/deallocation runs fine
>
> Can I suggest you try it with a non-debug build. I've seen heap
> corruption occur in winNT software, that in debug-builds was trapped,
> but in non-debug builds was not.

Actually, this is one of the big differences between debug and non-debug 
builds with MSVC.  Note the name of the routine above, it is 
RtlFreeHeap. This is the MSVC RTL, not WindowsNT memory management.

The MSVC debug builds check for heap corruption on all heap operations, 
as demonstrated above. Non-debug builds don't check, they just assume 
that everything is valid. In this case, the pointer passed to free is 
/not/ valid, which only the debug build will catch. The non-debug build 
could do anything, most likely crash, but almost equally likely it runs 
as if there was no bug.

I'm not sure this would be exploitable though.

Martijn Lievaart