Closed ralfjunker closed 1 day ago
Do you have the full call stack? This function returns the created BIO object and it's caller responsibility to free it
I can find only one place where this function is used in xmlsec code:
And it looks like the BIO object is free'd correctly,
If BIO_read_filename()
fails, xmlSecOpenSSLCreateReadFileBio()
returns NULL
and the caller has nothing to free.
To reproduce, call xmlSecCryptoAppKeysMngrCertLoad()
with a filename of a file which does not exist.
argh, thanks --missed it
A file not found results in a memory leak here: https://github.com/lsh123/xmlsec/blob/548c71e56cd1adc85c14c25941451fbc1ceb9230/src/openssl/crypto.c#L774-L778
BIO_free(bio);
is missing to free the BIO and its associated resources.