InChI Facilities and Applications / Bugs / #22 Memory Leak

#22 Memory Leak

Milestone: v1.0 (example)

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2017-11-07

Created: 2017-11-07

Creator: Google-Autofuzz

Private: No

Hello International Chemical Identifier (InChI) team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
International Chemical Identifier (InChI) (tested with revision v1.04, September 2011). To reproduce, we are
attaching a Dockerfile which compiles the project with LLVM, taking advantage of
the sanitizers that it offers. More information about how to use the attached
Dockerfile can be found here: https://docs.docker.com/engine/reference/builder/

TL;DR instructions:

mkdir project
cp Dockerfile /path/to/project
docker build --no-cache /path/to/project
docker run -it image_id_from_docker_build

From another terminal, outside the container:
docker cp /path/to/attached/reproducer running_container_hostname:/fuzzing/reproducer
(reference: https://docs.docker.com/engine/reference/commandline/cp/)

And, back inside the container:
/fuzzing/repro.sh /fuzzing/reproducer

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

=================================================================
==9==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 160 byte(s) in 1 object(s) allocated from:

#0 0x4ce160 in calloc (/fuzzing/fuzzer+0x4ce160)
#1 0x65bb46 in ParseSegmentFormula(char const*, int, tagINChI**, int*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:7598:43
#2 0x653bd6 in ReadInChILine(tagOutputStream*, tagLine*, char**, int*, tagINChI* (*) [2], int (*) [2], tagRemovedAndExchangeableH (*) [2], int (*) [2][2], int*, int*, unsigned char*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:4465:19
#3 0x6447eb in InChILine2Data(tagOutputStream*, tagLine*, char**, int*, int*, tagINChI* (*) [2], int (*) [2], tagRemovedAndExchangeableH (*) [2], int (*) [2][2], int, int, unsigned long, int*, int*, unsigned char*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:2327:11
#4 0x6425b3 in ReadWriteInChI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:571:23
#5 0x520e25 in GetINCHIfromINCHI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/inchi_dll.c:1953:16
#6 0x50911e in LLVMFuzzerTestOneInput /fuzzing/fuzzer.c:21:3
#7 0x5101fc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/fuzzer+0x5101fc)
#8 0x5096dc in main (/fuzzing/fuzzer+0x5096dc)

Indirect leak of 4 byte(s) in 1 object(s) allocated from:

#0 0x4ce160 in calloc (/fuzzing/fuzzer+0x4ce160)
#1 0x6577b8 in nFillOutProtonMobileH(tagINChI*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:7469:44
#2 0x65bb83 in ParseSegmentFormula(char const*, int, tagINChI**, int*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:7602:23
#3 0x653bd6 in ReadInChILine(tagOutputStream*, tagLine*, char**, int*, tagINChI* (*) [2], int (*) [2], tagRemovedAndExchangeableH (*) [2], int (*) [2][2], int*, int*, unsigned char*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:4465:19
#4 0x6447eb in InChILine2Data(tagOutputStream*, tagLine*, char**, int*, int*, tagINChI* (*) [2], int (*) [2], tagRemovedAndExchangeableH (*) [2], int (*) [2][2], int, int, unsigned long, int*, int*, unsigned char*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:2327:11
#5 0x6425b3 in ReadWriteInChI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:571:23
#6 0x520e25 in GetINCHIfromINCHI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/inchi_dll.c:1953:16
#7 0x50911e in LLVMFuzzerTestOneInput /fuzzing/fuzzer.c:21:3
#8 0x5101fc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/fuzzer+0x5101fc)
#9 0x5096dc in main (/fuzzing/fuzzer+0x5096dc)

Indirect leak of 4 byte(s) in 1 object(s) allocated from:

#0 0x4ce160 in calloc (/fuzzing/fuzzer+0x4ce160)
#1 0x65dd74 in ParseSegmentConnections(char const*, int, tagINChI**, int*, int*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:7033:51
#2 0x653c78 in ReadInChILine(tagOutputStream*, tagLine*, char**, int*, tagINChI* (*) [2], int (*) [2], tagRemovedAndExchangeableH (*) [2], int (*) [2][2], int*, int*, unsigned char*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:4469:19
#3 0x6447eb in InChILine2Data(tagOutputStream*, tagLine*, char**, int*, int*, tagINChI* (*) [2], int (*) [2], tagRemovedAndExchangeableH (*) [2], int (*) [2][2], int, int, unsigned long, int*, int*, unsigned char*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:2327:11
#4 0x6425b3 in ReadWriteInChI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:571:23
#5 0x520e25 in GetINCHIfromINCHI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/inchi_dll.c:1953:16
#6 0x50911e in LLVMFuzzerTestOneInput /fuzzing/fuzzer.c:21:3
#7 0x5101fc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/fuzzer+0x5101fc)
#8 0x5096dc in main (/fuzzing/fuzzer+0x5096dc)

Indirect leak of 2 byte(s) in 1 object(s) allocated from:

#0 0x4ce160 in calloc (/fuzzing/fuzzer+0x4ce160)#1 0x6575d4 in nFillOutProtonMobileH(tagINChI*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:7446:46
#2 0x65bb83 in ParseSegmentFormula(char const*, int, tagINChI**, int*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:7602:23
#3 0x653bd6 in ReadInChILine(tagOutputStream*, tagLine*, char**, int*, tagINChI* (*) [2], int (*) [2], tagRemovedAndExchangeableH (*) [2], int (*) [2][2], int*, int*, unsigned char*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:4465:19
#4 0x6447eb in InChILine2Data(tagOutputStream*, tagLine*, char**, int*, int*, tagINChI* (*) [2], int (*) [2], tagRemovedAndExchangeableH (*) [2], int (*) [2][2], int, int, unsigned long, int*, int*, unsigned char*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:2327:11
#5 0x6425b3 in ReadWriteInChI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:571:23
#6 0x520e25 in GetINCHIfromINCHI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/inchi_dll.c:1953:16
#7 0x50911e in LLVMFuzzerTestOneInput /fuzzing/fuzzer.c:21:3
#8 0x5101fc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/fuzzer+0x5101fc)
#9 0x5096dc in main (/fuzzing/fuzzer+0x5096dc)

Indirect leak of 2 byte(s) in 1 object(s) allocated from:

#0 0x4ce160 in calloc (/fuzzing/fuzzer+0x4ce160)
#1 0x657686 in nFillOutProtonMobileH(tagINChI*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:7454:39
#2 0x65bb83 in ParseSegmentFormula(char const*, int, tagINChI**, int*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:7602:23
#3 0x653bd6 in ReadInChILine(tagOutputStream*, tagLine*, char**, int*, tagINChI* (*) [2], int (*) [2], tagRemovedAndExchangeableH (*) [2], int (*) [2][2], int*, int*, unsigned char*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:4465:19
#4 0x6447eb in InChILine2Data(tagOutputStream*, tagLine*, char**, int*, int*, tagINChI* (*) [2], int (*) [2], tagRemovedAndExchangeableH (*) [2], int (*) [2][2], int, int, unsigned long, int*, int*, unsigned char*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:2327:11
#5 0x6425b3 in ReadWriteInChI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:571:23
#6 0x520e25 in GetINCHIfromINCHI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/inchi_dll.c:1953:16
#7 0x50911e in LLVMFuzzerTestOneInput /fuzzing/fuzzer.c:21:3
#8 0x5101fc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/fuzzer+0x5101fc)
#9 0x5096dc in main (/fuzzing/fuzzer+0x5096dc)

Indirect leak of 2 byte(s) in 1 object(s) allocated from:

#0 0x4ce160 in calloc (/fuzzing/fuzzer+0x4ce160)
#1 0x657809 in nFillOutProtonMobileH(tagINChI*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:7474:40
#2 0x65bb83 in ParseSegmentFormula(char const*, int, tagINChI**, int*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:7602:23
#3 0x653bd6 in ReadInChILine(tagOutputStream*, tagLine*, char**, int*, tagINChI* (*) [2], int (*) [2], tagRemovedAndExchangeableH (*) [2], int (*) [2][2], int*, int*, unsigned char*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:4465:19
#4 0x6447eb in InChILine2Data(tagOutputStream*, tagLine*, char**, int*, int*, tagINChI* (*) [2], int (*) [2], tagRemovedAndExchangeableH (*) [2], int (*) [2][2], int, int, unsigned long, int*, int*, unsigned char*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:2327:11
#5 0x6425b3 in ReadWriteInChI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:571:23
#6 0x520e25 in GetINCHIfromINCHI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/inchi_dll.c:1953:16
#7 0x50911e in LLVMFuzzerTestOneInput /fuzzing/fuzzer.c:21:3
#8 0x5101fc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/fuzzer+0x5101fc)
#9 0x5096dc in main (/fuzzing/fuzzer+0x5096dc)

SUMMARY: AddressSanitizer: 174 byte(s) leaked in 6 allocation(s).

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team
68417312

2 Attachments

Dockerfile.inchi

poc-63fd5e8c6dcec135126fbc3aa7cf33905210cebd9226b77a09ab45c23be93c9e_min

Memory Leak

Group

Searches

Help

#22 Memory Leak

Discussion