stcorp / coda

The Common Data Access toolset
http://stcorp.github.io/coda/doc/html/index.html
BSD 3-Clause "New" or "Revised" License
39 stars 17 forks source link

leaks(s) in coda-sp3.c:read_header #79

Closed schwehr closed 4 years ago

schwehr commented 4 years ago

The first value is leaked. It also looks like the error returns in coda-sp3.c:read_header() don't delete value

==2468135==ERROR: LeakSanitizer: detected memory leaks
--
  |  
  | Direct leak of 4096 byte(s) in 1 object(s) allocated from:
  | #1 0x5654243c6cf8 in coda_mem_data_new third_party/stcorp_coda/libcoda/coda-mem-type.c:821:38
  | #2 0x5654243c46cd in coda_mem_string_new third_party/stcorp_coda/libcoda/coda-mem-type.c:940:12
  | #3 0x565424402922 in read_header third_party/stcorp_coda/libcoda/coda-sp3.c:918:34
  | #4 0x565424402148 in read_file third_party/stcorp_coda/libcoda/coda-sp3.c:1906:9
  | #5 0x5654243fc423 in coda_sp3_reopen third_party/stcorp_coda/libcoda/coda-sp3.c:1973:9
  | #6 0x5654243d1df6 in reopen_with_backend third_party/stcorp_coda/libcoda/coda-product.c:422:17
  | #7 0x5654243ceb48 in open_file third_party/stcorp_coda/libcoda/coda-product.c:552:9
  | #8 0x5654243ce48a in coda_recognize_file third_party/stcorp_coda/libcoda/coda-product.c:596:9
  | #9 0x5654242e1171 in LLVMFuzzerTestOneInput third_party/stcorp_coda/fuzz/coda_recognize_file_fuzzer.cc:19:3
    // The following value is leaked
    value = (coda_dynamic_type *)coda_mem_string_new((coda_type_text *)sp3_type[sp3_pos_vel], NULL, info->product, str);
    coda_mem_record_add_field(info->header, "pos_vel", value, 0);

    memcpy(str, &line[3], 28);
    str[28] = '\0';
    base_type = (coda_dynamic_type *)coda_mem_string_new((coda_type_text *)sp3_type[sp3_datetime_start_string], NULL,
                                                         info->product, str);
    value = (coda_dynamic_type *)coda_mem_time_new((coda_type_special *)sp3_type[sp3_datetime_start], NULL, base_type);
    coda_mem_record_add_field(info->header, "datetime_start", value, 0);

    if (coda_ascii_parse_int64(&line[32], 7, &int_value, 0) < 0)
    {
        coda_add_error_message(" (line: %ld, byte offset: %ld)", info->linenumber, info->offset + 32);
        return -1;
    }
    value = (coda_dynamic_type *)coda_mem_int32_new((coda_type_number *)sp3_type[sp3_num_epochs], NULL, info->product,
                                                    (int32_t)int_value);
    coda_mem_record_add_field(info->header, "num_epochs", value, 0);

    memcpy(str, &line[40], 5);
    str[5] = '\0';
    value = (coda_dynamic_type *)coda_mem_string_new((coda_type_text *)sp3_type[sp3_data_used], NULL, info->product,
                                                     str);
    coda_mem_record_add_field(info->header, "data_used", value, 0);

Test case:

#bV8888          &              2                   88888885

testcase-5662127726788608.zip

svniemeijer commented 4 years ago

Fixed in 4d776e2b38bf579272f1916e1d3fb29dfad1e2c4

(note that 'value' does not have to be cleaned; values will get cleaned as part of the cleanup of info->header)

schwehr commented 4 years ago

Verified