search

JayXon / Leanify

lightweight lossless file minifier/optimizer
MIT License
832 stars 75 forks source link

[Bug]out-of-memory in function get_mutable_buffer():/pugixml.cpp:2051 #82

Closed Asteriska001 closed 2 years ago

Asteriska001 commented 2 years ago

POC file at the bottom of this report.

With ASAN

Note: You can use ASAN for more direct verification. Compile program with address sanitizer with this command:

LEANIFY_SRC     := leanify.cpp main.cpp utils.cpp $(wildcard formats/*.cpp)
LZMA_OBJ        := lib/LZMA/Alloc.o lib/LZMA/LzFind.o lib/LZMA/LzFindMt.o lib/LZMA/LzFindOpt.o lib/LZMA/LzmaDec.o lib/LZMA/LzmaEnc.o lib/LZMA/Threads.o
MOZJPEG_OBJ     := lib/mozjpeg/jaricom.o lib/mozjpeg/jcapimin.o lib/mozjpeg/jcarith.o lib/mozjpeg/jcext.o lib/mozjpeg/jchuff.o lib/mozjpeg/jcmarker.o lib/mozjpeg/jcmaster.o lib/mozjpeg/jcomapi.o lib/mozjpeg/jcparam.o lib/mozjpeg/jcphuff.o lib/mozjpeg/jctrans.o lib/mozjpeg/jdapimin.o lib/mozjpeg/jdarith.o lib/mozjpeg/jdatadst.o lib/mozjpeg/jdatasrc.o lib/mozjpeg/jdcoefct.o lib/mozjpeg/jdhuff.o lib/mozjpeg/jdinput.o lib/mozjpeg/jdmarker.o lib/mozjpeg/jdphuff.o lib/mozjpeg/jdtrans.o lib/mozjpeg/jerror.o lib/mozjpeg/jmemmgr.o lib/mozjpeg/jmemnobs.o lib/mozjpeg/jsimd_none.o lib/mozjpeg/jutils.o
PUGIXML_OBJ     := lib/pugixml/pugixml.o
ZOPFLI_OBJ      := lib/zopfli/hash.o lib/zopfli/squeeze.o lib/zopfli/gzip_container.o lib/zopfli/katajainen.o lib/zopfli/zopfli_lib.o lib/zopfli/cache.o lib/zopfli/zlib_container.o lib/zopfli/util.o lib/zopfli/tree.o lib/zopfli/deflate.o lib/zopfli/blocksplitter.o lib/zopfli/lz77.o
ZOPFLIPNG_OBJ   := lib/zopflipng/lodepng/lodepng.o lib/zopflipng/lodepng/lodepng_util.o lib/zopflipng/zopflipng_lib.o

CFLAGS      += -g -fsanitize=address -Wall -Wextra -Wno-unused-parameter -Werror -O3 -msse2 -mfpmath=sse -flto
CPPFLAGS    += -g -fsanitize=address -I./lib
CXXFLAGS    += -g -fsanitize=address $(CFLAGS) -std=c++17 -fno-rtti
LDFLAGS     += -g -fsanitize=address -flto -lpthread

ifeq ($(OS), Windows_NT)
    SYSTEM  := Windows
    LDLIBS  += -lshlwapi
else
    SYSTEM  := $(shell uname -s)
endif

# Gold linker only supports Linux
ifeq ($(SYSTEM), Linux)
    LDFLAGS += -fuse-ld=gold
endif

ifeq ($(SYSTEM), Darwin)
    LDLIBS  += -liconv
else
    # -s is "obsolete" on mac

endif

ifeq ($(SYSTEM), Windows)
    LEANIFY_SRC += fileio_win.cpp
else
    LEANIFY_SRC += fileio_linux.cpp
endif

.PHONY:     leanify clean

leanify:    $(LEANIFY_SRC) $(LZMA_OBJ) $(MOZJPEG_OBJ) $(PUGIXML_OBJ) $(ZOPFLI_OBJ) $(ZOPFLIPNG_OBJ)
    $(CXX) $(CPPFLAGS) $(CXXFLAGS) $^ $(LDFLAGS) $(LDLIBS) -o $@

$(LZMA_OBJ):    CFLAGS := $(filter-out -Wextra,$(CFLAGS))

$(MOZJPEG_OBJ): CFLAGS := $(filter-out -Wextra,$(CFLAGS))

$(ZOPFLI_OBJ):  CFLAGS += -Wno-unused-function

clean:
    rm -f $(LZMA_OBJ) $(MOZJPEG_OBJ) $(PUGIXML_OBJ) $(ZOPFLI_OBJ) $(ZOPFLIPNG_OBJ) leanify

ASAN Report

-> 
-> RDM
-> 6
=================================================================
==2439==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x3600000001 bytes
#0 0x7ffff769bc47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55555558f703 in get_mutable_buffer lib/pugixml/pugixml.cpp:2051
#2 0x55555558f703 in convert_buffer lib/pugixml/pugixml.cpp:2249
#3 0x55555558f703 in load_buffer_impl lib/pugixml/pugixml.cpp:4712
#4 0x55555558f703 in pugi::xml_document::load_buffer(void const*, unsigned long, unsigned int, pugi::xml_encoding) lib/pugixml/pugixml.cpp:7224
#5 0x55555558f703 in Xml::Xml(void*, unsigned long) formats/xml.cpp:20
#6 0x55555558f703 in GetType(void*, unsigned long, std::__cxx11::basic_string, std::allocator > const&) /AFLplusplus/my_test/projects/Leanify/asan_bin/Leanify/leanify.cpp:118
#7 0x55555573e8df (/AFLplusplus/my_test/projects/Leanify/tanuki/asan_bin/leanify+0x1ea8df)

==2439==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 in __interceptor_malloc
Thread T1 created by T0 here:
#0 0x7ffff763f6d5 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x7ffff7484989 in std::thread::_M_start_thread(std::unique_ptr >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xda989)

==2439==ABORTING

POC

POC

Any issue plz contact with me: asteriska001@gmail.com OR: twitter: @Asteriska8