UPSTREAM: libmbim-glib,message: fix leak when processing string array is aborted
We must define the GPtrArray with a valid GDestroyFunc for its
elements, so that if we abort reading the string array due to a bug in
one of its elements, we fully cleanup the GPtrArray and its temporary
contents.
Direct leak of 1 byte(s) in 1 object(s) allocated from:
#0 0x566dc312fb8e in malloc
#1 0x7ab42f23ac00 in try_malloc_n /build/amd64-generic/tmp/portage/dev-libs/glib-2.74.1-r1/work/glib-2.74.1/glib/gutf8.c:831:20
#2 0x7ab42f23b23e in g_utf16_to_utf8 /build/amd64-generic/tmp/portage/dev-libs/glib-2.74.1-r1/work/glib-2.74.1/glib/gutf8.c:1108:12
#3 0x566dc3160ebc in _mbim_message_read_string /build/amd64-generic/tmp/portage/net-libs/libmbim-1.29.7-r109/work/libmbim-1.29.7/src/libmbim-glib/mbim-message.c:608:16
#4 0x566dc3161203 in _mbim_message_read_string_array /build/amd64-generic/tmp/portage/net-libs/libmbim-1.29.7-r109/work/libmbim-1.29.7/src/libmbim-glib/mbim-message.c:664:14
#5 0x566dc31a65bd in mbim_message_subscriber_ready_status_notification_get_printable /build/amd64-generic/tmp/portage/net-libs/libmbim-1.29.7-r109/work/libmbim-1.29.7-build/src/libmbim-glib/generated/mbim-basic-connect.c:3535:14
#6 0x566dc3169111 in mbim_message_get_printable_full /build/amd64-generic/tmp/portage/net-libs/libmbim-1.29.7-r109/work/libmbim-1.29.7/src/libmbim-glib/mbim-message.c:0
#7 0x566dc315f0b5 in LLVMFuzzerTestOneInput /build/amd64-generic/tmp/portage/net-libs/libmbim-1.29.7-r109/work/libmbim-1.29.7/src/libmbim-glib/test/test-message-fuzzer.c:31:17
#8 0x566dc3063020 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)
#9 0x566dc304d890 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)
#10 0x566dc3052d54 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))
#11 0x566dc307e3b2 in main
#12 0x7ab42e81b6c5 in __libc_start_call_main
#13 0x7ab42e81b781 in __libc_start_main_impl
#14 0x566dc3044c80 in _start
Fixes d39f942f7fb29ca8040bb3b3b4e09d60a1ce34cb
(cherry picked from commit c6728b8e34d828e0c9a11eeb46a5f6e369fc5dd5)
BUG=b:289451093
TEST=Manually run fuzzer reproducer.
(cr) $ setup_board --board=amd64-generic --force
(cr) $ cros_workon --board=amd64-generic start libmbim
(cr) $ build_packages --board=amd64-generic --skip_chroot_upgrade --nousepkg libmbim
(cr) $ cros_fuzz \
--board=amd64-generic \
reproduce \
--testcase ~/chromiumos/chroot/build/amd64-generic/tmp/clusterfuzz-testcase-minimized \
--fuzzer /usr/libexec/fuzzers/test-mbim-message-fuzzer \
--package libmbim \
--build-type
Change-Id: I29c09010e130ba2a70346d525b3233a420ca57ba
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/libmbim/+/4660989
Tested-by: Aleksander Morgado <aleksandermj@google.com>
Reviewed-by: Eric Caruso <ejcaruso@chromium.org>
Commit-Queue: Aleksander Morgado <aleksandermj@google.com>
Reviewed-by: Nagi Marupaka <nmarupaka@google.com>
Auto-Submit: Aleksander Morgado <aleksandermj@google.com>
diff --git a/src/libmbim-glib/mbim-message.c b/src/libmbim-glib/mbim-message.c
index 302d9d8..da35ffc 100644
--- a/src/libmbim-glib/mbim-message.c
+++ b/src/libmbim-glib/mbim-message.c
@@ -656,7 +656,7 @@
return TRUE;
}
- array = g_ptr_array_new ();
+ array = g_ptr_array_new_with_free_func (g_free);
for (i = 0, offset = relative_offset_array_start; i < array_size; offset += 8, i++) {
gchar *str;
