Potential Double Free in pyc/marshal.c

[7erryX]

CVE-2022-0523

static pyc_object *get_array_object_generic(RBuffer *buffer, ut32 size) in libr/bin/format/pyc/marshal.c once caused CVE-2022-0523, which was a double free and might cause RCE attack, and was fixed in Commit 35482cb

Potential issue in the same file

get_dict_object in libr/bin/format/pyc/marshal.c contains a similar logic flaw that may lead to a double-free vulnerability.

		key = get_object (buffer, 0);
		if (!key) {
			break;
		}
		if (!r_list_append (ret->data, key)) {
			r_list_free (ret->data);
			R_FREE (ret);
			free_object (key);
			return NULL;
		}

Would it make sense to apply the same fix here—i.e. temporarily set ((RList *)ret->data)->free = NULL before r_list_free, as done in 35482cb?

Thanks for your time, and apologies if I missed anything.

[trufae]

i think you are correct.. i had in my plate to refactor this code because it have some pretty bad coding practices in place and thats why bugs like this popup. hope this fix addresses the problem now. thanks for reporting!