Indirect-leak in xmlNewReference |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4565597116694528 Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Indirect-leak Crash Address: Crash State: xmlNewReference xmlStringGetNodeList xmlStringGetNodeList Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=450688:450717 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94aB-7jauqpmqvrLc6O8nGKZmJw1cUEjoBhrAIkgxNqg1IfOSozm3G78OHo3PnSVcaKY355lbP0zhj5nmrzNN3WvEkkLhverlwZEtzs6T9pISbQhNNhMWSDjfjdz7aZJgcIa0KzPE2kjBQWb_l00ORm-QNJGM8T1KSoTg2m0QyReD3MbGxoy4V4T6reyq4rYa1Lx_q90Tk0eQFcX5qPMVNzGGrpG_0dnood-qGrXZvKnL7H9XfMu76nVb2tyordfIEsIsd_Cx72YLU58xETUyc5rxUNxE-KO5J94Hzo2onckMPg167ogrUGy6HR0o1Wvgcv9c0CWr4GRgDI49oxlTmSvkLuQ5MfMVTK-7f9ccfL5Tjdtp2nzCSssRBCOjZAWX1Jwa7Tr2LaaB27o1h3p_5ccBq5_A?testcase_id=4565597116694528 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Feb 16 2017
Predator and CL did not provide any possible suspects. Using Code Search for the file, "xmlstring.c" assigning to the concern owner. Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/3c53598f981660671a93f9f71e52e5bb58a2b64e @dominicc -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
,
Feb 17 2017
I maintain the integration of this third party library so I am a good person to assign these to. Leaks in this component aren't a high priority right now; I'm worried that working on fixing them takes time away from, and may even exacerbate, problems where memory isn't being held onto long enough.
,
Apr 14 2017
Issue 698330 has been merged into this issue.
,
Apr 14 2017
I think what's happening here is entities cache their children, but some (all?) memory associated with that is not freed. So maybe debugging xmlFreeEntity to see if entity->children is even attempting to be freed, and if so, why xmlFreeNodeList isn't reaching these pointers.
,
May 25 2017
Can we have the latest update on this issue? Looks like its not yest fixed from the report- https://clusterfuzz.com/v2/testcase-detail/4565597116694528?noredirect=1. Punting to M60.
,
May 30 2017
Here's how I prioritize libxml2, etc. bugs: (most important) UAF/double free; OOB access overflows null deref; other undefined behavior leaks (least important) At the moment I'm working on more important things, so I haven't made any serious progress on this one sorry. HTH!
,
May 30 2017
I think this is probably related to: libxml2: Indirect-leak in xmlBufResize https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=735
,
Jun 11 2017
Likely fixed by upstream commit here: https://git.gnome.org/browse/libxml2/commit/?id=8c82f5deeba9d6ecf85f2a0aa9c967320cc6c13c
,
Jun 21 2017
ClusterFuzz has detected this issue as fixed in range 480737:480767. Detailed report: https://clusterfuzz.com/testcase?key=4565597116694528 Fuzzer: libFuzzer_libxml_xml_read_memory_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Indirect-leak Crash Address: Crash State: xmlNewReference xmlStringGetNodeList xmlStringGetNodeList Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=450688:450717 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=480737:480767 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4565597116694528 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 21 2017
ClusterFuzz testcase 6692732333719552 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mummare...@chromium.org
, Feb 16 2017Labels: Test-Predator-Wrong M-58