The following code: EVP_PKEY_free(d2i_AutoPrivateKey(NULL, &bufp, n));
Will leak memory when fed this input: 30390201023009060138080469303080301901029ff88b298030b01b060922be0804e930864886f70d3a0180093080060102308030013b0200000420308204e930c3e8300105308030013b01040202ff003029021103292902009930800621022404e83001010430801b06092a86483001aa0286c030dfe980 I believe this is because the X509_ATTRIBUTE item "combines" the first and second members. Thus, after parsing an ASN1_OBJECT, the main loop in ASN1_item_ex_d2i does `pseqval = asn1_get_field_ptr(pval, seqtt);` with i=1 and gets pseqval=pval. ASN1_item_ex_d2i has code to "/* Free up and zero CHOICE value if initialised */", but it doesn't trigger in this situation and then ASN1_item_ex_d2i overwrites the ASN1_OBJECT pointer and leaks it. The trace of the leak is the following, from 1.0.1 HEAD: ==12959== 41 (40 direct, 1 indirect) bytes in 1 blocks are definitely lost in loss record 7 of 16 ==12959== at 0x40307C4: malloc (valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:270) ==12959== by 0x40AB43: default_malloc_ex (/agl/openssl/crypto/mem.c:79) ==12959== by 0x40B1D3: CRYPTO_malloc (/agl/openssl/crypto/mem.c:342) ==12959== by 0x432006: ASN1_OBJECT_new (/agl/openssl/crypto/asn1/a_object.c:346) ==12959== by 0x431E6E: c2i_ASN1_OBJECT (/agl/openssl/crypto/asn1/a_object.c:301) ==12959== by 0x4069D7: asn1_ex_c2i (/agl/openssl/crypto/asn1/tasn_dec.c:874) ==12959== by 0x40682A: asn1_d2i_ex_primitive (/agl/openssl/crypto/asn1/tasn_dec.c:831) ==12959== by 0x404F15: ASN1_item_ex_d2i (/agl/openssl/crypto/asn1/tasn_dec.c:207) ==12959== by 0x40632C: asn1_template_noexp_d2i (/agl/openssl/crypto/asn1/tasn_dec.c:691) ==12959== by 0x405F20: asn1_template_ex_d2i (/agl/openssl/crypto/asn1/tasn_dec.c:579) ==12959== by 0x4059DD: ASN1_item_ex_d2i (/agl/openssl/crypto/asn1/tasn_dec.c:443) ==12959== by 0x4061B6: asn1_template_noexp_d2i (/agl/openssl/crypto/asn1/tasn_dec.c:663) _______________________________________________ openssl-bugs-mod mailing list [email protected] https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
