Hi!
We are using improved fuzzing technology with fault injection. I'm rather sure the bug is not a security issue. If you still worry about it, please point out and I would edit immediately. Although I'm fuzzing on v0.104.1, it seems still exiting in the latest version.
Different from traditional fuzzing, fault injection can test error-handling codes while the errors happen in some extreme conditions. (such as malloc() return NULL when out of memory). So it is hard to reproduce without our fault injection environment. I try to analysis the related codes to find the cause but not sure, needing your helps. I'm glad to provide more details if you need.
// in clamav/libclamav/hashtab.c: 645
645 int cli_hashset_init(struct cli_hashset *hs, size_t initial_capacity, uint8_t load_factor)
646 {
// hs->bitmap = NULL, if out of memory
662 hs->bitmap = cli_calloc(initial_capacity >> 5, sizeof(*hs->bitmap));
663 if (!hs->bitmap) {
// First free here
664 free(hs->keys);
667 }
668 return 0;
669 }
// in clamav/libclamav/hashtab.c: 697
697 void cli_hashset_destroy(struct cli_hashset *hs)
698 {
700 if (hs->mempool) {
703 } else {
// Second free here, double free.
704 free(hs->keys);
705 free(hs->bitmap);
706 }
709 }
Hi! We are using improved fuzzing technology with fault injection. I'm rather sure the bug is not a security issue. If you still worry about it, please point out and I would edit immediately. Although I'm fuzzing on v0.104.1, it seems still exiting in the latest version.
Different from traditional fuzzing, fault injection can test error-handling codes while the errors happen in some extreme conditions. (such as malloc() return NULL when out of memory). So it is hard to reproduce without our fault injection environment. I try to analysis the related codes to find the cause but not sure, needing your helps. I'm glad to provide more details if you need.