Bug 741106 – Problem with low memory and realloc

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 741106 - (Mark) Problem with low memory and realloc

(Mark)
Summary:	Problem with low memory and realloc


Status:	RESOLVED OBSOLETE

Product:	libxml2
Classification:	Platform
Component:	general
Version:	git master
Hardware:	Other All

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2014-12-04 11:36 UTC by Mark Rance
Modified:	2021-07-05 13:24 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
This is a close as possible to the current memory code to show the error (7.76 KB, application/octet-stream) 2014-12-23 10:32 UTC, Mark Rance	Details

Description Mark Rance 2014-12-04 11:36:07 UTC

With version 2.9.2 of libxml2 and xmlReallocLoc in file xmlmemory.c if the realloc fails (line 347) the original block of memory is now freed, this causes freed memory to be accessed later on when closing streams.

I think this is made worse by the encoding functions for example xmlCharEncFirstLineInput checks for xmlBufAvail and subtract 1 from then thinks that 4gb of memory is available (e.g. line 2069 of encoding.c, which then drops it to 360 bytes of available memory)

In version 2.9.1 it just leaked and caused a double free error when checking the mh_tag structure member as various stream close operations are performed.

One thing I do to help show these errors is add a debugging variable so when debugging I can artificially return fail on realloc or malloc when hitting a certain memory limit, I hope that makes sense.

Comment 1 Mark Rance 2014-12-23 10:32:03 UTC

Created attachment 293242 [details]
This is a close as possible to the current memory code to show the error

I have found quite a few places where low memory causes unexpected problems. The problem I was getting was with the realloc function. I've attached the source files and a VS2010 project is here http://www.avcosystems.com/temp/Libxml2Test.zip
to show the problem and the cure I am using. 
There are lots of places in the current library where there is this line of code written = xmlBufAvail(out) - 1;
This returns 0 when there is no memory which has one subtracted making it 0xFFFFFFFF (sometimes this is dropped to  256 * 1024) but this is obviously still wrong when out of memory although it may be sorted out later.

Comment 2 GNOME Infrastructure Team 2021-07-05 13:24:58 UTC

GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org.
As part of that, we are mass-closing older open tickets in bugzilla.gnome.org
which have not seen updates for a longer time (resources are unfortunately
quite limited so not every ticket can get handled).

If you can still reproduce the situation described in this ticket in a recent
and supported software version, then please follow
  https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines
and create a new ticket at
  https://gitlab.gnome.org/GNOME/libxml2/-/issues/

Thank you for your understanding and your help.