[gnutls-devel] libtasn1 | memory leaks in asn1_array2tree (#26)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue Mar 17 03:21:42 CET 2020



whzhe51 created an issue: https://gitlab.com/gnutls/libtasn1/-/issues/26



## Description of problem:

Indirect leak of 912 byte(s) in 6 object(s) allocated from:
    #0 0x5216a2 in calloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3
    #1 0x56fb06 in _asn1_add_static_node /src/libtasn1/lib/parser_aux.c:72:10
    #2 0x554557 in asn1_array2tree /src/libtasn1/lib/structure.c:199:11
    #3 0x553cc0 in LLVMFuzzerTestOneInput /src/libtasn1/fuzz/libtasn1_array2tree_fuzzer.c:84:3
    #4 0x459d01 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #5 0x459425 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    #6 0x45b7c7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
    #7 0x45c555 in fuzzer::Fuzzer::Loop(std::Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:830:5
    #8 0x44a6d8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:824:6
    #9 0x474752 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #10 0x7fb87930482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Indirect leak of 20 byte(s) in 1 object(s) allocated from:
    #0 0x52152d in malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x570591 in _asn1_set_value /src/libtasn1/lib/parser_aux.c:274:21
    #2 0x5545d9 in asn1_array2tree /src/libtasn1/lib/structure.c:203:2
    #3 0x553cc0 in LLVMFuzzerTestOneInput /src/libtasn1/fuzz/libtasn1_array2tree_fuzzer.c:84:3
    #4 0x459d01 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #5 0x459425 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    #6 0x45b7c7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
    #7 0x45c555 in fuzzer::Fuzzer::Loop(std::Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:830:5
    #8 0x44a6d8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:824:6
    #9 0x474752 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #10 0x7fb87930482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

## Version of libtasn1 used:

4.16
## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL)

Fedora
## How reproducible:
fuzz-test

Steps to Reproduce:

 * one
 * two
 * three

## Actual results:
memoryleak

## Expected results:

fuzz-test pass

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/26
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200317/94b52f11/attachment.html>


More information about the Gnutls-devel mailing list