Memory leaks in `sopc_encoder.c`
Description
Using the fuzz_decoder.c
fuzzer (on commit fec25b25) which fuzzes the SOPC_EncodeableObject_Decode
function, I found several memory leaks in sopc_encoder.c
:
- line 708
Direct leak of 1 byte(s) in 1 object(s) allocated from:
#0 0x53e97d in malloc /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
#1 0x57d2cf in SOPC_ByteString_Read /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:708:33
#2 0x593596 in SOPC_Read_Array /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:2962:22
#3 0x5971b4 in ReadVariantArrayBuiltInType /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c
#4 0x58d036 in SOPC_Variant_Read_Internal /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:2638:22
#5 0x576e25 in SOPC_EncodeableObject_Decode /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encodeabletype.c:334:22
#6 0x56e281 in LLVMFuzzerTestOneInput /users/luperini/git/S2OPC/tests/fuzzing/fuzz_decoder.c:56:32
- line 803
Direct leak of 3 byte(s) in 1 object(s) allocated from:
#0 0x53e97d in malloc /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
#1 0x57e377 in SOPC_String_ReadWithLimitedLength /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:803:37
#2 0x586c6e in SOPC_String_Read /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:848:12
#3 0x586c6e in SOPC_LocalizedText_Read /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:1571:18
#4 0x593596 in SOPC_Read_Array /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:2962:22
#5 0x5971b4 in ReadVariantArrayBuiltInType /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c
#6 0x58d036 in SOPC_Variant_Read_Internal /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:2638:22
#7 0x576e25 in SOPC_EncodeableObject_Decode /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encodeabletype.c:334:22
#8 0x56e281 in LLVMFuzzerTestOneInput /users/luperini/git/S2OPC/tests/fuzzing/fuzz_decoder.c:56:32
- line 1433
Direct leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x53e97d in malloc /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
#1 0x5858e3 in SOPC_DiagnosticInfo_Read_Internal /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:1433:45
#2 0x593596 in SOPC_Read_Array /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:2962:22
#3 0x5971b4 in ReadVariantArrayBuiltInType /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c
#4 0x58d036 in SOPC_Variant_Read_Internal /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:2638:22
#5 0x576e25 in SOPC_EncodeableObject_Decode /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encodeabletype.c:334:22
#6 0x56e281 in LLVMFuzzerTestOneInput /users/luperini/git/S2OPC/tests/fuzzing/fuzz_decoder.c:56:32
- line 2292
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x53e97d in malloc /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
#1 0x58d545 in ReadVariantNonArrayBuiltInType /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:2292:21
#2 0x58d545 in SOPC_Variant_Read_Internal /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:2630:22
#3 0x5928cd in SOPC_DataValue_Read_Internal /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:2841:22
#4 0x597865 in SOPC_Read_Array_WithNestedLevel /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:1841:22
#5 0x59723e in ReadVariantArrayBuiltInType /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c
#6 0x58d036 in SOPC_Variant_Read_Internal /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:2638:22
#7 0x576e25 in SOPC_EncodeableObject_Decode /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encodeabletype.c:334:22
#8 0x56e281 in LLVMFuzzerTestOneInput /users/luperini/git/S2OPC/tests/fuzzing/fuzz_decoder.c:56:32
- line 2386
Direct leak of 80 byte(s) in 1 object(s) allocated from:
#0 0x53e97d in malloc /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
#1 0x58e5e4 in ReadVariantNonArrayBuiltInType /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:2386:26
#2 0x58e5e4 in SOPC_Variant_Read_Internal /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:2630:22
#3 0x5928cd in SOPC_DataValue_Read_Internal /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:2841:22
#4 0x597865 in SOPC_Read_Array_WithNestedLevel /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:1841:22
#5 0x59723e in ReadVariantArrayBuiltInType /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c
#6 0x58d036 in SOPC_Variant_Read_Internal /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:2638:22
#7 0x576e25 in SOPC_EncodeableObject_Decode /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encodeabletype.c:334:22
#8 0x56e281 in LLVMFuzzerTestOneInput /users/luperini/git/S2OPC/tests/fuzzing/fuzz_decoder.c:56:32
- line 2664
Direct leak of 1 byte(s) in 1 object(s) allocated from:
#0 0x53e97d in malloc /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
#1 0x58ead6 in SOPC_Variant_Read_Internal /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:2664:21
#2 0x597865 in SOPC_Read_Array_WithNestedLevel /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:1841:22
#3 0x59723e in ReadVariantArrayBuiltInType /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c
#4 0x58d228 in SOPC_Variant_Read_Internal /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encoder.c:2633:22
#5 0x576e25 in SOPC_EncodeableObject_Decode /users/luperini/git/S2OPC/csrc/opcua_types/sopc_encodeabletype.c:334:22
#6 0x56e281 in LLVMFuzzerTestOneInput /users/luperini/git/S2OPC/tests/fuzzing/fuzz_decoder.c:56:32
Reproducers are attached in the file leak_sopc_encoder.tar.gz.
Steps to reproduce
mkdir build.san
cd build.san
../.check-in-docker.sh "CC=clang cmake -DCMAKE_C_FLAGS='-fsanitize=fuzzer-no-link' -DCMAKE_BUILD_TYPE=RelWithDebInfo -DWITH_ASAN=1 -DWITH_UBSAN=1 .. && make -j8 fuzzers"
cd bin
# (optional) if you want to launch the fuzzer
../../.check-in-docker.sh ./decode_fuzzer.libfuzzer -max_len=100000
# Launch a reproducer
../../.check-in-docker.sh ./decode_fuzzer.libfuzzer <path_to_reproducer>
Edited by Paul Luperini