search

michaelrsweet / htmldoc

HTML Conversion Software
https://www.msweet.org/htmldoc
GNU General Public License v2.0
210 stars 47 forks source link

Memory Leak #511

Closed chameleon10712 closed 1 year ago

chameleon10712 commented 1 year ago

Description

I found memory leak in htmldoc.

Proof of Concept

poc

echo -ne "PEhUTUw+CjxIRUFEPgoJPFRJVExFPkF0dHJpYnV0ZXMgVGVzdHM8L1RJVExFPgo8L0hFQUQ+CjxCT0RZPgoKPEgxPkF0dHJpYnV0ZXMgVGVzdHM8L0gxPgoKPFA+PFNNQUxMPlNtYWxsPC9TTUFMTD4gTm9ybWFsIDxCSUc+QmlnPC9CSUc+CjxQPjxCPkJvbGQ8L0I+CjxQPjxJPkl0YWxpYzwvST4KPFA+PEI+PEk+Qm9sZC1JdGFsaWM8L0k+PC9CPgo8UD48VT5VbmRlcmxpbmU8L1U+CjxQPjxTVFJJS0U+U3RyaWtldGhyb3VnaDwvU1RSSUtFPgo8SDE+PFNUUklLRT5TdHJpa2V0aHJvdWdoPC9TVFJJS0U+PC9IMT4KPEgyPjxTVFJJS0U+U3RyaWtldGhyb3VnaDwvU1RSSUtFPjwvSDI+CjxIMz48U1RSSUtFPlN0cmlrZXRocm91Z2g8L1NUUklLRT48L0gzPgo8SDQ+PFNUUklLRT5TdHJpa2V0aHJvdWdoPC9TVFJJS0U+PC9IND4KPEg1PjxTVFJJS0U+U3RyaWtldGhyb3VnaDwvU1RSSUtFPjwvSDU+CjxINj48U1RSSUtFPlN0cmlrZXRocm91Z2g8L1NUUklLRT48L0g2PgoKPEgxPlNVQi9TVVAgVGVzdDwvSDE+Cgo8UD5Ob3JtYWw8U1VQPlN1cGVyc2NyaXB0PC9TVVA+CjxQPk5vcm1hbDxTVUI+U3Vic2NyaXB0PC9TVUI+Cgo8SDE+Tm9uLUJyZWFraW5nIFNwYWNlIFRlc3Q8L0gxPgoKPFA+VGhlIGludmVzdG1lbnQgb2JqZWN0aXZlcyB3aGljaCBiZXN0IGRlc2NyaWJlIHRoaXMKcG9ydGZvbGlvOiZuYnNwOyZuYnNwOzx1Pk1heGltdW0gR3Jvd3RoPC91PjogbWF4aW11bSBjYXBpdGFsCmFwcHJlY2lhdGlvbiB3aXRoIGhpZ2hlciByaXNrL3ZvbGF0aWxpdHkgYW5kIG5vIGluY29tZS4KCjwvQk9EWT4KPC9IVE1MPgo=" | base64 -d > poc

build with asan

$ /home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc --batch /home/oceane/fuzz_test/htmldoc_asan/testsuite/testsuite.book  --titleimage ./ducks.jpg ./pocs/poc_0
ERR005: Unable to find image file "./ducks.jpg"!
PAGES: 33
BYTES: 427139

=================================================================
==2128119==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 384 byte(s) in 20 object(s) allocated from:
    #0 0x7f8e20e98c3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
    #1 0x55c2e848ff6c  (/home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc+0x1bef6c)

Direct leak of 76 byte(s) in 6 object(s) allocated from:
    #0 0x7f8e20e98808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x55c2e849012d  (/home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc+0x1bf12d)

Direct leak of 9 byte(s) in 1 object(s) allocated from:
    #0 0x7f8e20e213ed in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cc:445
    #1 0x55c2e851774e  (/home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc+0x24674e)

Direct leak of 7 byte(s) in 1 object(s) allocated from:
    #0 0x7f8e20e213ed in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cc:445
    #1 0x55c2e85177e3  (/home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc+0x2467e3)

SUMMARY: AddressSanitizer: 476 byte(s) leaked in 28 allocation(s).

Affected Version

michaelrsweet commented 1 year ago

This is a false positive - basically not all of the memory was explicitly freed before exit, and ASAN on Linux reports those unless you set "ASAN_OPTIONS='leak_check_at_exit=false'" in the environment. There is no point freeing memory right before exit...