Page MenuHome GnuPG
Create Task
Maniphest T3898

Memory leak in g10 handle_compressed
Closed, ResolvedPublic
Actions

Description

Found using oss-fuzz, see https://github.com/google/oss-fuzz/pull/1310

Function handle_compressed in g10/compress.c allocates and apparently never frees memory

Here is the code with my added comments

   //memory allocated
    cfx = xmalloc_clear (sizeof *cfx);
    cfx->release = release_context;
    cfx->algo = cd->algorithm;
    // cdx can be copied in a cd->buf field
    push_compress_filter(cd->buf,cfx,cd->algorithm);
    if( callback )
	rc = callback(cd->buf, passthru );
    else
      rc = proc_packets (ctrl,procctx, cd->buf);
    //cd->buf goes out of scope
    cd->buf = NULL;
    //patch should be xfree(cfx);
    return rc;

Maybe I am wrong, but there is at least a leak with case COMPRESS_ALGO_NONE

Revisions and Commits

rG GnuPG
rGd26363e4f193 gpg: Fix minor memory leak in the compress filter.
rG0f8fd95ab32a g10: Push compress filter only if compressed.
rGc31abf84659d g10: Push compress filter only if compressed.

Event Timeline

catenacyber created this task.Apr 12 2018, 9:13 PM

leak-a702b3e5612e12163f056f41feb9e95a8b3836bb809 BDownload
Bug can be reproduced with gpg --verify leak-a702b3e5612e12163f056f41feb9e95a8b3836bb

gniibe claimed this task.EditedApr 13 2018, 3:11 AM
gniibe triaged this task as Normal priority.
gniibe added a project: gnupg (gpg14).
gniibe added a subscriber: gniibe.

Good catch. Thanks. Fixed in STABLE-BRANCH-2-2.

gniibe added a commit: rGc31abf84659d: g10: Push compress filter only if compressed..Apr 13 2018, 3:11 AM
gniibe added a commit: rG0f8fd95ab32a: g10: Push compress filter only if compressed..Apr 13 2018, 3:23 AM
gniibe changed the task status from Open to Testing.Apr 13 2018, 3:24 AM

Applied to STABLE-BRANCH-1-4, too.

werner added a commit: rGd26363e4f193: gpg: Fix minor memory leak in the compress filter..May 2 2018, 8:29 PM
werner closed this task as Resolved.May 2 2018, 8:30 PM