libfyaml icon indicating copy to clipboard operation
libfyaml copied to clipboard
verified publisher icon pantoniou

memory leak when using fy_path_expr_build_from_string with flags: FYPPCF_DISABLE_ACCELERATORS

Open rivit98 opened this issue 11 months ago • 0 comments

Hi, I found the following problem while fuzzing libfyaml

Code version

6e52e4d8b6adb01cc2fc377fab7b7fd523364438

How to reproduce

#include <stdio.h>
#include <libfyaml.h>

int main(int argc, char **argv) {
  struct fy_path_parse_cfg parse_cfg = {0};
  parse_cfg.flags = FYPPCF_QUIET| FYPPCF_DISABLE_ACCELERATORS;

  char data[] = "\x2e\x4e\x00";
  struct fy_path_expr *expr = fy_path_expr_build_from_string(&parse_cfg, data, -1);
  fy_path_expr_free(expr);
}

compile & link with fuzzer support. Run and observe ASAN output:

==890418==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 208 byte(s) in 1 object(s) allocated from:
    #0 0x5b412bbf9313 in malloc (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1da313) (BuildId: ad01c1cea82ed31a6c0fd6afeecf4dcec05bcd9b)
    #1 0x5b412beed42b in fy_token_alloc_rl /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-token.h:164:9
    #2 0x5b412beed42b in fy_token_vcreate_rl /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-token.c:407:8
    #3 0x5b412bef23c8 in fy_token_vcreate /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-token.c:506:9
    #4 0x5b412bf1f548 in fy_token_list_vqueue /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-token.h:262:8
    #5 0x5b412bf1f337 in fy_path_token_vqueue /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:830:8
    #6 0x5b412bf1f728 in fy_path_token_queue /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:844:8
    #7 0x5b412bf2df47 in fy_path_fetch_dot_method /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:980:8
    #8 0x5b412bf5578a in fy_path_fetch_tokens /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:1405:11
    #9 0x5b412bf584d9 in fy_path_scan_peek /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:1472:8
    #10 0x5b412bf65804 in fy_path_parse_expression /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:3238:16
    #11 0x5b412bf6a560 in fy_path_parse_expr_from_string /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:3733:9
    #12 0x5b412bf6a942 in fy_path_expr_build_from_string /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:3764:9
    #13 0x5b412bc38ae9 in tc9 /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:122:31
    #14 0x5b412bc38f9e in main /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:140:3
    #15 0x79e679c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #16 0x79e679c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #17 0x5b412bb5e4c4 in _start (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x13f4c4) (BuildId: ad01c1cea82ed31a6c0fd6afeecf4dcec05bcd9b)

Indirect leak of 200 byte(s) in 1 object(s) allocated from:
    #0 0x5b412bbf9313 in malloc (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1da313) (BuildId: ad01c1cea82ed31a6c0fd6afeecf4dcec05bcd9b)
    #1 0x5b412bd7471b in fy_input_alloc /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-input.c:44:8
    #2 0x5b412bd75f43 in fy_input_from_data /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-input.c:174:8
    #3 0x5b412bf6a29d in fy_path_parse_expr_from_string /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:3719:8
    #4 0x5b412bf6a942 in fy_path_expr_build_from_string /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:3764:9
    #5 0x5b412bc38ae9 in tc9 /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:122:31
    #6 0x5b412bc38f9e in main /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:140:3
    #7 0x79e679c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #8 0x79e679c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #9 0x5b412bb5e4c4 in _start (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x13f4c4) (BuildId: ad01c1cea82ed31a6c0fd6afeecf4dcec05bcd9b)

Indirect leak of 2 byte(s) in 1 object(s) allocated from:
    #0 0x5b412bbf9313 in malloc (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1da313) (BuildId: ad01c1cea82ed31a6c0fd6afeecf4dcec05bcd9b)
    #1 0x5b412befa9fc in fy_token_prepare_text /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-token.c:1037:15
    #2 0x5b412bef3601 in fy_token_get_text /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-token.c:1072:3
    #3 0x5b412bf5ea77 in evaluate_method /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:2689:9
    #4 0x5b412bf63fd9 in evaluate_new /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:3100:10
    #5 0x5b412bf6943f in fy_path_parse_expression /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:3484:9
    #6 0x5b412bf6a560 in fy_path_parse_expr_from_string /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:3733:9
    #7 0x5b412bf6a942 in fy_path_expr_build_from_string /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:3764:9
    #8 0x5b412bc38ae9 in tc9 /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:122:31
    #9 0x5b412bc38f9e in main /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:140:3
    #10 0x79e679c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #11 0x79e679c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #12 0x5b412bb5e4c4 in _start (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x13f4c4) (BuildId: ad01c1cea82ed31a6c0fd6afeecf4dcec05bcd9b)

SUMMARY: AddressSanitizer: 410 byte(s) leaked in 3 allocation(s).

rivit98 avatar Feb 02 '25 13:02 rivit98