Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Memery Leak at wildmidi_lib.c:2066 #204

Closed
YourButterfly opened this issue Oct 31, 2018 · 3 comments
Closed

Memery Leak at wildmidi_lib.c:2066 #204

YourButterfly opened this issue Oct 31, 2018 · 3 comments

Comments

@YourButterfly
Copy link

version

WildMidi 0.4.3

others

this bug is reported by pwd@360TeamSeri0us,
please send email to teamSeri0us360@gmail.com if you have some quetion.

description

commandline

./wildmidi -c ../../cfg/wildmidi.cfg memoryleak@wildmidi_lib.c\:2066

asan info

=================================================================
==3459==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x4db290 in malloc /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
    #1 0x7f56f0f9f054 in WildMidi_GetInfo /home/pwd/fuzz/from_exploit/wildmidi/src/wildmidi_lib.c:2066:45

SUMMARY: AddressSanitizer: 24 byte(s) leaked in 1 allocation(s).

debug info

the location of heap malloc

In file: /home/pwd/fuzz/from_exploit/wildmidi/src/wildmidi_lib.c
   2061         _WM_GLOBAL_ERROR(__FUNCTION__, __LINE__, WM_ERR_INVALID_ARG, "(NULL handle)", 0);
   2062         return (NULL);
   2063     }
   2064     _WM_Lock(&mdi->lock);
   2065     if (mdi->tmp_info == NULL) {
 ► 2066         mdi->tmp_info = (struct _WM_Info *) malloc(sizeof(struct _WM_Info));
   2067         if (mdi->tmp_info == NULL) {
   2068             _WM_GLOBAL_ERROR(__FUNCTION__, __LINE__, WM_ERR_MEM, NULL, 0);
   2069             _WM_Unlock(&mdi->lock);
   2070             return (NULL);
   2071         }


Breakpoint wildmidi_lib.c:2066

pwndbg> p mdi->tmp_info 
$1 = (struct _WM_Info *) 0x603000002800

before binary exit ,

In file: /home/pwd/fuzz/from_exploit/wildmidi/src/wildmidi.c
   2084         fprintf(stderr, "OOPS: failure shutting down libWildMidi\r\n%s\r\n", ret_err);
   2085         WildMidi_ClearError();
   2086     }
   2087     wm_resetty();
   20882089     printf("\r\n");
   2090     return (0);
   2091 }
   2092 
   2093 /* helper / replacement functions: */
   2094 
Breakpoint wildmidi.c:2089
pwndbg> p (struct _WM_Info *) 0x603000002800
$2 = (struct _WM_Info *) 0x603000002800
pwndbg> p *(struct _WM_Info *) 0x603000002800
$3 = {
  copyright = 0x0, 
  current_sample = 445968, 
  approx_total_samples = 445968, 
  mixer_options = 0, 
  total_midi_time = 13905
}

poc.tar.gz
sezero added a commit that referenced this issue Oct 31, 2018
@sezero
freeMDI: free() tmp_info->copyright before free()ing tmp_info itself.
0343e29 
[ c.f. #204 ]
@sezero sezero closed this as completed in 9302455 Oct 31, 2018
@sezero
Copy link
Contributor

sezero commented Oct 31, 2018

Commit d5d2b27 by @chrisisonwildcode had removed free()ing of mdi->tmp_info
without saying why, but it seems wrong?

Anyways, this should be fixed by commit 9302455.

@psi29a
Copy link
Member

psi29a commented Oct 31, 2018

Thanks @sezero

@YourButterfly
Copy link
Author

It`s fixed, mine is not lastest version
From https://github.com/Mindwerks/wildmidi
4a31bab..96b472c master -> origin/master
3999b68..226a239 wildmidi-0.3 -> origin/wildmidi-0.3
Updating 4a31bab..96b472c
Fast-forward
README.md | 1 +
os2/makefile | 6 +++---
src/CMakeLists.txt | 4 ++--
src/internal_midi.c | 4 ++++
4 files changed, 10 insertions(+), 5 deletions(-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@psi29a @sezero @YourButterfly