DOUF Explanation

Answer page

To cut this right in half here and save more time than was already wasted, this program is vulnerable to a double free vulnerability which happens when the program returns a true status indicating the string "https" existed within the parsed and given input.

The flaw (source)

    while ( *v14 != 0x70747468 || *(v14 + 4) != 115 )
    {
      v14 = sub_1400C22A0(v14 + 1, 104i64, v13 - 4 - (v14 + 1));
      if ( !v14 )
        goto LABEL_18;
    }
    free(v6);
    if ( v14 - v11 != -1 )
    {
      free(v6);
      v16 = 1;                                  // // Good, assign true
      goto LABEL_20;
    }
  }
  else
  {
LABEL_18:
    free(v6);
  }
  v16 = 0;                                      // false (error code)

As you can see by reading the code, the function free is being called multiple times on the same exact memory location.

Execution and Bug flow (proof via src)

You see, when the function realizes that v14 or our input data does not have the phrase "https" the program returns a true value by assigning v16 = 0. Before the value is set to 0, the value v6 is freed only once.

However, if you look to see the condition below which checks if the result of function at v14 did not fail, you see a different story.

    free(v6);
    if ( v14 - v11 != -1 )
    {
      free(v6);
      v16 = 1;                                  // // Good, assign true

As you can see, before the condition happens, the buffer or memory allocated at v6 is being freed. Then AGAIN once the condition is true, the condition executes to free the buffer once again. Note that v6 holds the allocated memory (buffer for this case) and then assigns v16 which is the return value to 1 or true.

When the function returns true and frees v6 twice, the program will crash shortly after the function returns.

In order to exploit this ...

In order to exploit the flaw, an attacker would need to craft a malicious payload that is able to trigger the condition and trick the program into crashing once it hits the free calls and has accepted that the string includes https.

this means that when the attacker is crafting their payload, they will have to include https somewhere within the input.