Fix memory leak in fuzz_array.c caused by cupsArrayDup #8
Conversation
This change adds a loop to explicitly free the strdup'd strings inside the array returned by cupsArrayDup. cupsArrayDup creates a shallow copy of the array and duplicates each element using strdup(), but does not associate a free callback with the new array. Without manual deallocation, these duplicated strings are leaked. The added loop iterates over the elements in the duplicated array and frees them before deleting the array itself, ensuring proper cleanup and resolving the LeakSanitizer issue. Tested with: python3 infra/helper.py run_fuzzer cups fuzz_array
There was a problem hiding this comment.
Thank you for the PR! We appreciate your effort to improve the quality of our existing fuzzing harnesses. However, I am confused regarding the reason for the explicit free(elem) needed for dup_array when cupsArrayDelete() afterwards should handle element cleanup via _cupsArrayFree?
What test case triggers the fixed "2-byte leak"? Could you share the ASAN logs showing this specific leak, or directly share with the testcase that triggers the mentioned issue? Thank you
|
You're right, under normal circumstances, I've also attached the asan_log.txt for reference. |
Thank you for your reply. Based on the log you provided, it appears that the |
|
Thank you for your clarification and for pointing out the root cause regarding the alloc-dealloc mismatch. Additionally, I’ve compressed and attached the input file that caused the crash for your reference: |
Overview
This patch fixes a 2-byte memory leak in the existing CUPS fuzzer (
fuzz_array.c). The leak occurred becausecupsArrayDup()duplicates each element, but those new allocations weren’t freed before deleting the array.Changes
cupsArrayDup(), added a loop to iterate over every element in the duplicated array and callfree()on each one.python3 infra/helper.py run_fuzzer cups fuzz_array