libfyaml icon indicating copy to clipboard operation
libfyaml copied to clipboard
verified publisher icon pantoniou

memory leak when using fy_node_by_path with flags FYNWF_PTR_JSON | FYNWF_PTR_RELJSON

Open rivit98 opened this issue 11 months ago • 0 comments

Hi, I found the following problem while fuzzing libfyaml

Code version

6e52e4d8b6adb01cc2fc377fab7b7fd523364438

How to reproduce

#include <stdio.h>
#include <libfyaml.h>
#include <assert.h>

int main() {
  struct fy_document *fyd = NULL;
  int flags = FYNWF_PTR_JSON | FYNWF_PTR_RELJSON;

  fyd = fy_document_create(NULL);
  struct fy_node *fyn = fy_node_create_sequence(fyd);
  assert(fyn);
  fy_document_set_root(fyd, fyn);
  struct fy_node *root = fy_document_root(fyd);
  assert(root);

  char data[] = "\x2f\x5e\x2f\x2c\x5e\x2f\x2c\x2c\x2f\x2f\x2f\x5e\x2f\x5e\x5e\x3c\x2f\x2f\x5e\x2c\x4f\x00";
  struct fy_node *node = fy_node_by_path(root, data, strlen(data), flags);
  printf("node: %p\n", node);
  fy_document_destroy(fyd);
}

compile & link with fuzzer support. Run and observe ASAN output:

[ERR]: fy_expr_stack_pop() failed for exprl
node: (nil)

=================================================================
==1924144==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 72 byte(s) in 1 object(s) allocated from:
    #0 0x562008ec8313 in malloc (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1ac313) (BuildId: e3fab39ec41008b1ebfd63a7e2ceac9c98ff3208)
    #1 0x5620090db37d in fy_path_expr_alloc /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:532:9
    #2 0x562009119c1d in fy_node_by_ypath_result /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:5516:9

Indirect leak of 208 byte(s) in 1 object(s) allocated from:
    #0 0x562008ec8313 in malloc (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1ac313) (BuildId: e3fab39ec41008b1ebfd63a7e2ceac9c98ff3208)
    #1 0x5620090c0012 in fy_token_alloc_rl /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-token.h:164:9
    #2 0x5620090c0012 in fy_token_vcreate_rl /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-token.c:407:8

Indirect leak of 200 byte(s) in 1 object(s) allocated from:
    #0 0x562008ec8313 in malloc (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1ac313) (BuildId: e3fab39ec41008b1ebfd63a7e2ceac9c98ff3208)
    #1 0x562008fd208d in fy_input_alloc /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-input.c:44:8

SUMMARY: AddressSanitizer: 480 byte(s) leaked in 3 allocation(s).

Looks like some internal buffers are not free. fy_node_by_path correctly returns NULL.

I wonder if setting FYNWF_PTR_JSON and FYNWF_PTR_RELJSON together is incorrect - if so it would be need to have some kind of validation.

rivit98 avatar Jan 19 '25 21:01 rivit98