Detected memory leaks on timg
Frank-Z7 opened this issue · 0 comments
Frank-Z7 commented
Memory leaks on timg
Description
When running timg under the "-g60x59 --center -b 'blue' --fit-width --clear -ph --auto-crop=15" configuration options, we found two memory leaks in the function main at /src/timg.cc:541:30 and /src/timg.cc:961:35.
Command1
./src/timg -g60x59 --center -b 'blue' --fit-width --clear -ph --auto-crop=15 id\:000000\,sig\:06\,src\:001731\,time\:1596515\,execs\:39195\,op\:havoc\,rep\:3ASAN Log1
cd timg
./src/timg -g60x59 --center -b 'blue' --fit-width --clear -ph --auto-crop=15 id:000000,sig:06,src:001731,time:1596515,execs:39195,op:havoc,rep:3
=================================================================
==2978288==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 5 byte(s) in 1 object(s) allocated from:
#0 0x487e04 in strdup (/afltest/timg/src/timg+0x487e04)
#1 0x4d08a2 in main /afltest/timg/src/timg.cc:541:30
#2 0x7ffff7587082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: 5 byte(s) leaked in 1 allocation(s).Location1
main /afltest/timg/src/timg.cc:541:30
PoC1:
Command2
./src/timg -g60x59 --center -b 'blue' --fit-width --clear -ph --auto-crop=15 poc2timgASAN Log2
cd timg
./src/timg -g60x59 --center -b 'blue' --fit-width --clear -ph --auto-crop=15 poc2timg
=================================================================
==581413==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1056 byte(s) in 1 object(s) allocated from:
#0 0x49c4f7 in posix_memalign (/afltest/timg/src/timg+0x49c4f7)
#1 0x3d39bcf in av_malloc /afltest/ffmpeg/ffmpeg-4.2.4/libavutil/mem.c:87:9
#2 0x209894c in avcodec_alloc_context3 /afltest/ffmpeg/ffmpeg-4.2.4/libavcodec/options.c:158:28
#3 0x4fb0de in timg::ImageSource::Create(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, timg::DisplayOptions const&, int, int, bool, bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*) /afltest/timg/src/image-source.cc:198:21
#4 0x4e95aa in main::$_5::operator()() const /afltest/timg/src/timg.cc:961:35
#5 0x4e95aa in std::_Function_handler<timg::ImageSource* (), main::$_5>::_M_invoke(std::_Any_data const&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/std_function.h:285:9
#6 0x4eb9cd in std::function<timg::ImageSource* ()>::operator()() const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/std_function.h:688:14
#7 0x4eb9cd in std::future<timg::ImageSource*> timg::ThreadPool::ExecAsync<timg::ImageSource*>(std::function<timg::ImageSource* ()>)::'lambda'()::operator()() const /afltest/timg/src/thread-pool.h:50:26
#8 0x4eb9cd in std::_Function_handler<void (), std::future<timg::ImageSource*> timg::ThreadPool::ExecAsync<timg::ImageSource*>(std::function<timg::ImageSource* ()>)::'lambda'()>::_M_invoke(std::_Any_data const&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/std_function.h:300:2
#9 0x4dfaae in std::function<void ()>::operator()() const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/std_function.h:688:14
#10 0x4dfaae in timg::ThreadPool::Runner() /afltest/timg/src/thread-pool.h:76:13
#11 0x7ffff787bdf3 (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd6df3)
Direct leak of 5 byte(s) in 1 object(s) allocated from:
#0 0x487e04 in strdup (/afltest/timg/src/timg+0x487e04)
#1 0x4d08a2 in main /afltest/timg/src/timg.cc:541:30
#2 0x7ffff7587082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: 1061 byte(s) leaked in 2 allocation(s).Location2
PoC2:
https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc2timg
Version
timg v1.5.2-2-gc5635a0 2023-09-01 05:16:08 -0700 <https://timg.sh/>
Copyright (c) 2016..2023 Henner Zeller. This program is free software; license GPL 2.0.
Image decoding GraphicsMagick 1.3.35 (2020-02-23)
Turbo JPEG
QOI image loading
STB image loading fallback
swscale 5.5.100
Video decoding libav 58.29.100; avdevice 58.8.100
Half, quarter, iterm2, and kitty graphics output: timg builtin.
Libsixel version 1.8.2Reference
https://github.com/hzeller/timg
Actual Behavior
Memory leaks
Environment
ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09
Thanks for your time!
Credit
Zeng Yunxiang
Song Jiaxuan