Bug 756459 – memory leak in xmlNewDocElementContent

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 756459 - memory leak in xmlNewDocElementContent


Summary:	memory leak in xmlNewDocElementContent


Status:	RESOLVED FIXED

Product:	libxml2
Classification:	Platform
Component:	general
Version:	git master
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2015-10-12 19:34 UTC by Kostya Serebryany
Modified:	2017-06-07 17:19 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Kostya Serebryany 2015-10-12 19:34:34 UTC

found with libFuzzer+AddressSanitizer on fresh git

echo PCFET0NUWVBFIDxbCQ0NPCFFTEVNRU5UDUIoI1BDREFUQXx1fFtdOg== | base64 --decode | ASAN_OPTIONS=strip_path_prefix=`pwd`/:fast_unwind_on_malloc=0  ./xmllint - 

==37473==ERROR: LeakSanitizer: detected memory leaks

Indirect leak of 48 byte(s) in 1 object(s) allocated from:
    #0 0x4ab58b in malloc
    #1 0x7f4032af219c in xmlNewDocElementContent__internal_alias valid.c:952:34
    #2 0x7f40329cc799 in xmlParseElementMixedContentDecl__internal_alias parser.c:6206:18
    #3 0x7f40329d277d in xmlParseElementContentDecl__internal_alias parser.c:6636:16
    #4 0x7f40329d37ec in xmlParseElementDecl__internal_alias parser.c:6703:12
    #5 0x7f40329d5e7c in xmlParseMarkupDecl__internal_alias parser.c:6952:4
    #6 0x7f4032a133e8 in xmlParseInternalSubset parser.c:8420:6
    #7 0x7f4032a11109 in xmlParseDocument__internal_alias parser.c:10836:6
    #8 0x7f4032a36a14 in xmlDoRead parser.c:15324:5
    #9 0x7f4032a36e14 in xmlReadFile__internal_alias parser.c:15386:13
    #10 0x4e3193 in parseAndPrintFile xmllint.c:2401:9
    #11 0x4da592 in main xmllint.c:3759:7

Comment 1 Gaurav 2015-12-01 02:01:34 UTC

It is detected by valgrind also:

echo PCFET0NUWVBFIDxbCQ0NPCFFTEVNRU5UDUIoI1BDREFUQXx1fFtdOg== | base64 --decode | valgrind  --leak-check=full ./xmllint -

==33491== 96 (48 direct, 48 indirect) bytes in 1 blocks are definitely lost in loss record 2 of 2
==33491==    at 0x4C2AC3D: malloc (vg_replace_malloc.c:299)
==33491==    by 0x4EA2F6E: xmlNewDocElementContent (valid.c:952)
==33491==    by 0x4E7DC20: xmlParseElementMixedContentDecl (parser.c:6221)
==33491==    by 0x4E7DD38: xmlParseElementContentDecl (parser.c:6651)
==33491==    by 0x4E7DF2F: xmlParseElementDecl (parser.c:6718)
==33491==    by 0x4E80F24: xmlParseMarkupDecl (parser.c:6969)
==33491==    by 0x4E816AD: xmlParseInternalSubset (parser.c:8445)
==33491==    by 0x4E8539E: xmlParseDocument (parser.c:10880)
==33491==    by 0x4E85506: xmlDoRead (parser.c:15390)
==33491==    by 0x409E7C: parseAndPrintFile (xmllint.c:2401)
==33491==    by 0x406B4E: main (xmllint.c:3759)
==33491==
==33491== LEAK SUMMARY:
==33491==    definitely lost: 48 bytes in 1 blocks
==33491==    indirectly lost: 48 bytes in 1 blocks
==33491==      possibly lost: 0 bytes in 0 blocks
==33491==    still reachable: 0 bytes in 0 blocks
==33491==         suppressed: 0 bytes in 0 blocks

Comment 2 Nick Wellnhofer 2017-06-07 17:19:22 UTC

I found this independently. Fixed with the following commit:

https://git.gnome.org/browse/libxml2/commit/?id=8627e4ed207571d2647ac3e28fb18e03f9326ad9