## Summary
A memory leak exists in the tic utility when processing a malformed terminfo 
source file. Multiple allocations performed during parsing are not freed on 
error paths, resulting in a total of 4756 bytes leaked as detected by 
LeakSanitizer.
## Vulnerability Details
**Program**: tic (from ncurses)
**Version**: 6.6
**Crash Type**: memory leak (LeakSanitizer)
**Root Cause**: When parsing a malformed terminfo entry containing invalid use= 
references or syntax errors, the program jumps to error‑handling code without 
releasing previously allocated ENTRY structures, duplicated strings, and 
TERMTYPE data, causing direct and indirect memory leaks.
##ASAN report
=================================================================
==3185490==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1216 byte(s) in 1 object(s) allocated from:
    #0 0x76639f2fd9c7 in malloc 
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x5b7a246df301 in _nc_resolve_uses2 ../ncurses/./tinfo/comp_parse.c:494
    #2 0x5b7a24696744 in main ../progs/tic.c:993
    #3 0x76639ee2a1c9 in __libc_start_call_main 
../sysdeps/nptl/libc_start_call_main.h:58
    #4 0x76639ee2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #5 0x5b7a24692e44 in _start 
(/home/xmut/wyf/LLM-optionFuzz/benchlatest/ncurses-asan/ncurses-6.6/progs/tic+0x38e44)
 (BuildId: 86e96ddefde07521953ce00114ad9dfc6b31ad04)
Direct leak of 6 byte(s) in 2 object(s) allocated from:
    #0 0x76639f2f74e8 in strdup 
../../../../src/libsanitizer/asan/asan_interceptors.cpp:578
    #1 0x5b7a247002cc in _nc_wrap_entry ../ncurses/./tinfo/alloc_entry.c:242
    #2 0x5b7a246e99fb in _nc_parse_entry ../ncurses/./tinfo/parse_entry.c:648
    #3 0x5b7a246de48e in _nc_read_entry_source 
../ncurses/./tinfo/comp_parse.c:238
    #4 0x5b7a24696703 in main ../progs/tic.c:985
    #5 0x76639ee2a1c9 in __libc_start_call_main 
../sysdeps/nptl/libc_start_call_main.h:58
    #6 0x76639ee2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #7 0x5b7a24692e44 in _start 
(/home/xmut/wyf/LLM-optionFuzz/benchlatest/ncurses-asan/ncurses-6.6/progs/tic+0x38e44)
 (BuildId: 86e96ddefde07521953ce00114ad9dfc6b31ad04)
Indirect leak of 3312 byte(s) in 1 object(s) allocated from:
    #0 0x76639f2fd340 in calloc 
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x5b7a246d248a in _nc_read_termtype ../ncurses/./tinfo/read_entry.c:387
    #2 0x5b7a246d3a70 in _nc_read_file_entry ../ncurses/./tinfo/read_entry.c:603
    #3 0x5b7a246d4797 in _nc_read_tic_entry ../ncurses/./tinfo/read_entry.c:861
    #4 0x5b7a246d4a2f in _nc_read_entry2 ../ncurses/./tinfo/read_entry.c:905
    #5 0x5b7a246df2ee in _nc_resolve_uses2 ../ncurses/./tinfo/comp_parse.c:490
    #6 0x5b7a24696744 in main ../progs/tic.c:993
    #7 0x76639ee2a1c9 in __libc_start_call_main 
../sysdeps/nptl/libc_start_call_main.h:58
    #8 0x76639ee2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #9 0x5b7a24692e44 in _start 
(/home/xmut/wyf/LLM-optionFuzz/benchlatest/ncurses-asan/ncurses-6.6/progs/tic+0x38e44)
 (BuildId: 86e96ddefde07521953ce00114ad9dfc6b31ad04)
Indirect leak of 156 byte(s) in 1 object(s) allocated from:
    #0 0x76639f2fd340 in calloc 
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x5b7a246d2368 in _nc_read_termtype ../ncurses/./tinfo/read_entry.c:381
    #2 0x5b7a246d3a70 in _nc_read_file_entry ../ncurses/./tinfo/read_entry.c:603
    #3 0x5b7a246d4797 in _nc_read_tic_entry ../ncurses/./tinfo/read_entry.c:861
    #4 0x5b7a246d4a2f in _nc_read_entry2 ../ncurses/./tinfo/read_entry.c:905
    #5 0x5b7a246df2ee in _nc_resolve_uses2 ../ncurses/./tinfo/comp_parse.c:490
    #6 0x5b7a24696744 in main ../progs/tic.c:993
    #7 0x76639ee2a1c9 in __libc_start_call_main 
../sysdeps/nptl/libc_start_call_main.h:58
    #8 0x76639ee2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #9 0x5b7a24692e44 in _start 
(/home/xmut/wyf/LLM-optionFuzz/benchlatest/ncurses-asan/ncurses-6.6/progs/tic+0x38e44)
 (BuildId: 86e96ddefde07521953ce00114ad9dfc6b31ad04)
Indirect leak of 44 byte(s) in 1 object(s) allocated from:
    #0 0x76639f2fd340 in calloc 
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x5b7a246d2242 in _nc_read_termtype ../ncurses/./tinfo/read_entry.c:367
    #2 0x5b7a246d3a70 in _nc_read_file_entry ../ncurses/./tinfo/read_entry.c:603
    #3 0x5b7a246d4797 in _nc_read_tic_entry ../ncurses/./tinfo/read_entry.c:861
    #4 0x5b7a246d4a2f in _nc_read_entry2 ../ncurses/./tinfo/read_entry.c:905
    #5 0x5b7a246df2ee in _nc_resolve_uses2 ../ncurses/./tinfo/comp_parse.c:490
    #6 0x5b7a24696744 in main ../progs/tic.c:993
    #7 0x76639ee2a1c9 in __libc_start_call_main 
../sysdeps/nptl/libc_start_call_main.h:58
    #8 0x76639ee2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #9 0x5b7a24692e44 in _start 
(/home/xmut/wyf/LLM-optionFuzz/benchlatest/ncurses-asan/ncurses-6.6/progs/tic+0x38e44)
 (BuildId: 86e96ddefde07521953ce00114ad9dfc6b31ad04)
Indirect leak of 22 byte(s) in 1 object(s) allocated from:
    #0 0x76639f2fd9c7 in malloc 
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x5b7a246d2018 in _nc_read_termtype ../ncurses/./tinfo/read_entry.c:349
    #2 0x5b7a246d3a70 in _nc_read_file_entry ../ncurses/./tinfo/read_entry.c:603
    #3 0x5b7a246d4797 in _nc_read_tic_entry ../ncurses/./tinfo/read_entry.c:861
    #4 0x5b7a246d4a2f in _nc_read_entry2 ../ncurses/./tinfo/read_entry.c:905
    #5 0x5b7a246df2ee in _nc_resolve_uses2 ../ncurses/./tinfo/comp_parse.c:490
    #6 0x5b7a24696744 in main ../progs/tic.c:993
    #7 0x76639ee2a1c9 in __libc_start_call_main 
../sysdeps/nptl/libc_start_call_main.h:58
    #8 0x76639ee2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #9 0x5b7a24692e44 in _start 
(/home/xmut/wyf/LLM-optionFuzz/benchlatest/ncurses-asan/ncurses-6.6/progs/tic+0x38e44)
 (BuildId: 86e96ddefde07521953ce00114ad9dfc6b31ad04)
SUMMARY: AddressSanitizer: 4756 byte(s) leaked in 7 allocation(s).
### Root Cause
1.main() calls _nc_read_entry_source() to parse the input file. During parsing, 
if an invalid use= reference (e.g., use=x24 fails to resolve) or other syntax 
error occurs, an error flag is set and the code jumps to cleanup routines.
2.However, in _nc_resolve_uses2(), when resolving a use= reference fails (e.g., 
the referenced entry does not exist), the function has already allocated 1216 
bytes via malloc for an ENTRY structure, but returns without freeing that 
memory.
3.Similarly, _nc_parse_entry() duplicates strings via strdup, and 
_nc_read_termtype() allocates TERMTYPE structures and internal arrays using 
calloc and malloc. These are not freed when errors occur later in the parsing 
process, leading to direct and indirect leaks.
### Vulnerable Code (comp_parse.c:494)
```c
TYPE_MALLOC(ENTRY, 1, rp);
```
Also in(alloc_entry.c:242)
```c
ep->uses[i].name = strdup(tp->str_table + useoffsets[i]);
```
Also in(read_entry.c:387)
```c
TYPE_CALLOC(char *, Max(STRCOUNT, str_count), ptr->Strings);
```
Also in(read_entry.c:381)
```c
TYPE_CALLOC(NCURSES_INT2, Max(NUMCOUNT, num_count), ptr->Numbers);
```
Also in(read_entry.c:367)
```c
TYPE_CALLOC(NCURSES_SBOOL, Max(BOOLCOUNT, bool_count), ptr->Booleans);
```
Also in(read_entry.c:349)
```c
|| (string_table = typeMalloc(char, want)) == NULL) {
```
##Proof of Concept
**PoC File**: tic_mem_leak
https://github.com/raind20001020/Poc/blob/main/tic_mem_leak
**Reproduction**:
``bash
tic -a -c tic_mem_leak
```
###Credit
Yufeng Wu、Zhijie Zhang、Qizhen Xu

Attachment: tic_mem_leak
Description: Binary data

Reply via email to