Skip to content

libmbim-glib,message: fix leak when processing string array is aborted

We must define the GPtrArray with a valid GDestroyFunc for its elements, so that if we abort reading the string array due to a bug in one of its elements, we fully cleanup the GPtrArray and its temporary contents.

  Direct leak of 1 byte(s) in 1 object(s) allocated from:
      #0 0x566dc312fb8e in malloc
      #1 0x7ab42f23ac00 in try_malloc_n /build/amd64-generic/tmp/portage/dev-libs/glib-2.74.1-r1/work/glib-2.74.1/glib/gutf8.c:831:20
      #2 0x7ab42f23b23e in g_utf16_to_utf8 /build/amd64-generic/tmp/portage/dev-libs/glib-2.74.1-r1/work/glib-2.74.1/glib/gutf8.c:1108:12
      #3 0x566dc3160ebc in _mbim_message_read_string /build/amd64-generic/tmp/portage/net-libs/libmbim-1.29.7-r109/work/libmbim-1.29.7/src/libmbim-glib/mbim-message.c:608:16
      #4 0x566dc3161203 in _mbim_message_read_string_array /build/amd64-generic/tmp/portage/net-libs/libmbim-1.29.7-r109/work/libmbim-1.29.7/src/libmbim-glib/mbim-message.c:664:14
      #5 0x566dc31a65bd in mbim_message_subscriber_ready_status_notification_get_printable /build/amd64-generic/tmp/portage/net-libs/libmbim-1.29.7-r109/work/libmbim-1.29.7-build/src/libmbim-glib/generated/mbim-basic-connect.c:3535:14
      #6 0x566dc3169111 in mbim_message_get_printable_full /build/amd64-generic/tmp/portage/net-libs/libmbim-1.29.7-r109/work/libmbim-1.29.7/src/libmbim-glib/mbim-message.c:0
      #7 0x566dc315f0b5 in LLVMFuzzerTestOneInput /build/amd64-generic/tmp/portage/net-libs/libmbim-1.29.7-r109/work/libmbim-1.29.7/src/libmbim-glib/test/test-message-fuzzer.c:31:17
      #8 0x566dc3063020 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)
      #9 0x566dc304d890 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)
      #10 0x566dc3052d54 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))
      #11 0x566dc307e3b2 in main
      #12 0x7ab42e81b6c5 in __libc_start_call_main
      #13 0x7ab42e81b781 in __libc_start_main_impl
      #14 0x566dc3044c80 in _start

Fixes d39f942f

Edited by Aleksander Morgado

Merge request reports

Loading