/lodepng-rust

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Memory leak on malformed input #28

Closed
Shnatsel opened this Issue Jun 21, 2018 · 1 comment

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@Shnatsel @kornelski
@Shnatsel
Copy link
Contributor

Shnatsel commented Jun 21, 2018
edited

lodepng-rust leaks memory when given malicious input. This issue has been discovered via fuzzing with cargo-fuzz.

Steps to reproduce:

git clone https://github.com/Shnatsel/lodepng-leak.git
cd lodepng-leak
RUSTFLAGS='--cfg fuzzing' cargo run

PNG and deflate checksums make fuzzing impossible, so I have modified lodepng-fuzz to disable checksum verification during fuzzing via conditional compilation. lodepng-leak repo currently links against my modified version, which can be found here along with the fuzzing setup. The code right now is rather messy, but it would be nice to get something similar in your repo as well.
@kornelski

This comment has been minimized.

Sign in to view
Copy link
Owner

kornelski commented Jun 21, 2018
edited

That's an interesting result. Thank you for fuzzing it!

I'll check it next week as I'm currently traveling.

This was referenced Jun 27, 2018

Closed
Merged

@kornelski kornelski closed this in 1d052a2 Jul 18, 2018

kornelski added a commit that referenced this issue Jul 18, 2018

@kornelski
Avoid leaking malloced strings 
Fixes #28
37a7bcc

@Shnatsel Shnatsel referenced this issue Aug 30, 2018

Closed

Memory leak on decoding a malformed image #34

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment