Package: libmrss0
Version: 0.19.2-7
Severity: important
X-Debbugs-Cc: to-debian-...@myrrc.dev
Dear Maintainer,
I have found a bug in libmrss0 leading to memory leak on parsing some of
files. Please find the details attached.
For the following program:
```c
int main(int argc, char **argv) {
(void)argc, (void)argv;
mrss_t *doc = NULL;
FILE *rss = fopen("rss.xml", "r");
fseek(rss, 0, SEEK_END);
long len = ftell(rss);
rewind(rss);
char *str = malloc(len + 1);
fread(str, len, 1, rss);
fclose(rss);
str[len] = 0;
mrss_parse_buffer(str, len, );
mrss_free(doc);
free(str);
return 0;
}
```
built with
```
gcc -o out -fsanitize=address nxml_err.c -lmrss
```
Given rss.xml is `wget https://blog.demofox.org/rss.xml`,
ASan reports the following error:
```
=
==967975==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 3 byte(s) in 1 object(s) allocated from:
#0 0x7f87515749a7 in __interceptor_strdup
../../../../src/libsanitizer/asan/asan_interceptors.cpp:454
#1 0x7f87511cec70 in nxmle_find_attribute
(/lib/x86_64-linux-gnu/libnxml.so.0+0x5c70)
SUMMARY: AddressSanitizer: 3 byte(s) leaked in 1 allocation(s).
```
The issue also reproduces on different files. On some other files,
a bigger leak is reported.
```
=
==966721==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 376010 byte(s) in 18 object(s) allocated from:
#0 0x7ff5db6989a7 in __interceptor_strdup
../../../../src/libsanitizer/asan/asan_interceptors.cpp:454
#1 0x7ff5dad73029 in nxml_get_string
(/lib/x86_64-linux-gnu/libnxml.so.0+0x5029)
Direct leak of 3 byte(s) in 1 object(s) allocated from:
#0 0x7ff5db6989a7 in __interceptor_strdup
../../../../src/libsanitizer/asan/asan_interceptors.cpp:454
#1 0x7ff5dad73c70 in nxmle_find_attribute
(/lib/x86_64-linux-gnu/libnxml.so.0+0x5c70)
SUMMARY: AddressSanitizer: 376013 byte(s) leaked in 19 allocation(s).
```
Libmrss0 uses nxml0 internally. For the following program,
```c
int main(int argc, char **argv) {
(void)argc, (void)argv;
nxml_t *doc = NULL;
FILE *rss = fopen("rss.xml", "r");
fseek(rss, 0, SEEK_END);
long len = ftell(rss);
rewind(rss);
char *str = malloc(len + 1);
fread(str, len, 1, rss);
fclose(rss);
str[len] = 0;
if (nxml_new() != NXML_OK)
return 1;
nxml_parse_buffer(doc, str, len);
nxml_free(doc);
free(str);
return 0;
}
```
built with
```
gcc -o out -fsanitize=address nxml_err.c -lnxml
```
the leak does not reproduce which makes me think the issue not related to
libnxml0.
If we modify the first program to parse an url instead,
```
mrss_parse_url("https://blog.demofox.org/rss.xml;, );
```
the error remains the same which makes me think the issue is not related
to libcurl.
According to libmrss0 sources
(https://github.com/bakulf/libmrss/blob/cc2f489ba698a2227065731b714905ab56b1de1a/test/parser.c#L27),
no invocation except `mrss_free` is required, so I believe
this is a bug indeed.
-- System Information:
Debian Release: bookworm/sid
APT prefers jammy-updates
APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'),
(100, 'jammy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.15.0-25-generic (SMP w/12 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libmrss0 depends on:
ii libc62.35-0ubuntu3.6
ii libcurl3-gnutls 7.81.0-1ubuntu1.15
ii libnxml0 0.18.4-1
libmrss0 recommends no packages.
libmrss0 suggests no packages.
-- no debconf information
