search

michaelrsweet / htmldoc

HTML Conversion Software
https://www.msweet.org/htmldoc
GNU General Public License v2.0
208 stars 47 forks source link

LeakSanitizer: detected memory leaks #481

Closed hdthky closed 2 years ago

hdthky commented 2 years ago

Description

Whilst experimenting with htmldoc, built from commit 31f7804, we are able to induce memory leaks in function strdup , using a harness compiled from htmldoc/htmldoc.cxx.

Because the allocated memory has not been freed , memory leaks will be triggered when the software encounters a malformed file, resulting in exhausted system resources or denial of service.

Proof of Concept

The POC is: poc_memory_leak

The command is: ./htmldoc --webpage -t pdf -f /dev/null poc_memory_leak

The ASAN report is:

=================================================================
==45404==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 41 byte(s) in 5 object(s) allocated from:
    #0 0x307074 in strdup (/work/libraries/htmldoc/htmldoc/htmldoc+0x307074)
    #1 0x4a4220 in get_format /work/libraries/htmldoc/htmldoc/util.cxx

SUMMARY: AddressSanitizer: 41 byte(s) leaked in 5 allocation(s).

Impact

This vulnerability is capable of inducing denial of service.

michaelrsweet commented 2 years ago

@hdthky This is NOT an actionable memory leak. LeakSanitizer is reporting that 41 bytes were allocated, pointers not lost, and not freed before the process exits. But since the OS reclaims all memory on process exit, there is no point in freeing these pointers before exit.