Page MenuHome GnuPG

Memory leak in g10 handle_compressed
Closed, ResolvedPublic


Found using oss-fuzz, see

Function handle_compressed in g10/compress.c allocates and apparently never frees memory

Here is the code with my added comments

   //memory allocated
    cfx = xmalloc_clear (sizeof *cfx);
    cfx->release = release_context;
    cfx->algo = cd->algorithm;
    // cdx can be copied in a cd->buf field
    if( callback )
	rc = callback(cd->buf, passthru );
      rc = proc_packets (ctrl,procctx, cd->buf);
    //cd->buf goes out of scope
    cd->buf = NULL;
    //patch should be xfree(cfx);
    return rc;

Maybe I am wrong, but there is at least a leak with case COMPRESS_ALGO_NONE

Event Timeline

Bug can be reproduced with gpg --verify leak-a702b3e5612e12163f056f41feb9e95a8b3836bb

gniibe triaged this task as Normal priority.
gniibe added a project: gnupg (gpg14).
gniibe added a subscriber: gniibe.

Good catch. Thanks. Fixed in STABLE-BRANCH-2-2.

gniibe changed the task status from Open to Testing.Apr 13 2018, 3:24 AM

Applied to STABLE-BRANCH-1-4, too.