lsh123
commented
2 days ago Do you have the full call stack? This function returns the created BIO object and it's caller responsibility to free it
Closed ralfjunker closed 1 day ago
lsh123
commented
2 days ago Do you have the full call stack? This function returns the created BIO object and it's caller responsibility to free it
lsh123
commented
2 days ago I can find only one place where this function is used in xmlsec code:
And it looks like the BIO object is free'd correctly,
ralfjunker
commented
2 days ago If BIO_read_filename() fails, xmlSecOpenSSLCreateReadFileBio() returns NULL and the caller has nothing to free.
To reproduce, call xmlSecCryptoAppKeysMngrCertLoad() with a filename of a file which does not exist.
lsh123
commented
1 day ago argh, thanks --missed it
A file not found results in a memory leak here: https://github.com/lsh123/xmlsec/blob/548c71e56cd1adc85c14c25941451fbc1ceb9230/src/openssl/crypto.c#L774-L778
BIO_free(bio);is missing to free the BIO and its associated resources.