CVE-2017-12858: Heap UAF in _zip_buffer_free() / Double free in _zip_dirent_read()

libzip is a C library for reading, creating, and modifying zip archives. A partial list of projects using libzip include: [Plex Home Theater](https://support.plex.tv/hc/en-us/articles/204096476-License-Information), MySQL Workbench, ckmame, fuse-zip, lua-zip, **php zip extension**, zipruby, Endeavour2, FreeDink, DeaDBeeF (vfs_zip plugin), OpenLierox, ebook-tools, PDF Expert, ReaddleDocs, simple basic C++ wrapper for libzip, libzip++ - safe and modern c++14 wrapper around libzip, **Adobe (e.g., in Edge)**, PureBasic (ZipPacker), freebasic (ExtLibZip), Mercedes (S-Class), Kerkythea, G3D Innovation Engine, D'Fusion Studio, odt2tex - Libre/OpenOffice to LaTeX converter, *Kobo eReader*, Kchmviewer, **Yubikey NEO CCID Manager C Library**, **Veracrypt**, InstantZip, OpenRCT2 (RollerCoaster Tycoon 2 re-implementation) - Reported to the vendor on 9 June 2017 via email. - [Fixed in their master code on 14 August 2017](https://github.com/nih-at/libzip/commit/2217022b7d1142738656d891e00b3d2d9179b796#diff-df71eca2e47a996fe7a792832da8745c). - Vendor states it was a 'Double Free' in zip_dirent.c. - CVE requested on 14 August 2017. - CVE-2017-12858 assigned on 15 August 2017. ``` ==19825==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000ece1 at pc 0x0000004fbbe9 bp 0x7ffd4ed8f250 sp 0x7ffd4ed8f248 READ of size 1 at 0x60300000ece1 thread T0 #0 0x4fbbe8 in _zip_buffer_free /root/libzip/lib/zip_buffer.c:53:9 #1 0x4ccdc5 in _zip_dirent_read /root/libzip/lib/zip_dirent.c:477:17 #2 0x4dd766 in _zip_checkcons /root/libzip/lib/zip_open.c:469:6 #3 0x4dc511 in _zip_find_central_dir /root/libzip/lib/zip_open.c:612:28 #4 0x4dc511 in _zip_open /root/libzip/lib/zip_open.c:194 #5 0x4da5d7 in zip_open_from_source /root/libzip/lib/zip_open.c:148:11 #6 0x4d9a10 in zip_open /root/libzip/lib/zip_open.c:74:15 #7 0x4bfa32 in list_zip /root/libzip/src/zipcmp.c:396:13 #8 0x4bfa32 in compare_zip /root/libzip/src/zipcmp.c:225 #9 0x4bfa32 in main /root/libzip/src/zipcmp.c:193 #10 0x7fab6f292b44 in __libc_start_main /build/glibc-KShDyh/glibc-2.19/csu/libc-start.c:287 #11 0x4bf29c in _start (/root/libzip/src/zipcmp+0x4bf29c) 0x60300000ece1 is located 1 bytes inside of 32-byte region [0x60300000ece0,0x60300000ed00) freed by thread T0 here: #0 0x4a199b in free (/root/libzip/src/zipcmp+0x4a199b) #1 0x4fbbc0 in _zip_buffer_free /root/libzip/lib/zip_buffer.c:57:5 #2 0x4dd766 in _zip_checkcons /root/libzip/lib/zip_open.c:469:6 #3 0x4dc511 in _zip_find_central_dir /root/libzip/lib/zip_open.c:612:28 #4 0x4dc511 in _zip_open /root/libzip/lib/zip_open.c:194 #5 0x4da5d7 in zip_open_from_source /root/libzip/lib/zip_open.c:148:11 #6 0x4d9a10 in zip_open /root/libzip/lib/zip_open.c:74:15 #7 0x4bfa32 in list_zip /root/libzip/src/zipcmp.c:396:13 #8 0x4bfa32 in compare_zip /root/libzip/src/zipcmp.c:225 #9 0x4bfa32 in main /root/libzip/src/zipcmp.c:193 #10 0x7fab6f292b44 in __libc_start_main /build/glibc-KShDyh/glibc-2.19/csu/libc-start.c:287 previously allocated by thread T0 here: #0 0x4a1c1b in __interceptor_malloc (/root/libzip/src/zipcmp+0x4a1c1b) #1 0x4fd07b in _zip_buffer_new /root/libzip/lib/zip_buffer.c:168:35 #2 0x4fd07b in _zip_buffer_new_from_source /root/libzip/lib/zip_buffer.c:190 #3 0x514487 in _fini (/root/libzip/src/zipcmp+0x514487) SUMMARY: AddressSanitizer: heap-use-after-free /root/libzip/lib/zip_buffer.c:53 _zip_buffer_free ```