1

When assigning priority for a bug, we had an internal discussion whether in C++ deleting an object more than once can result in code execution if the pointer to object can be corrupted. For the objects having virtual destructor the answer seem to be obvious here.

However what is not obvious whether this could be exploited for code execution when a deleted object is either a standard type (i.e. long), an array, or an instance of a class which does not have virtual table.

Can this situation result in code execution on any existing popular implementations?

George Y.
  • 3,504
  • 2
  • 10
  • 15

1 Answers1

2

For basic types, such as long or array, I can't think of a way remote execution could be achieved. With classes, there are many options beyond virtual table. For example a member class may have a virtual table. A shared pointer could also be used, as it contains a pointer to destructor function. Other more exotic cases such as a destructor calling a function using a pointer could also happen and there probably are more. I would recommend taking such a bug seriously.

Peter Harmann
  • 7,728
  • 5
  • 20
  • 28