GNU bug report logs - #19578
Memory leaks in coreutils/lib/locale_charset.c

Previous Next

Package: coreutils;

Reported by: Zhaopeng Li <zpli <at> ustc.edu.cn>

Date: Tue, 13 Jan 2015 05:49:02 UTC

Severity: normal

Tags: notabug

Merged with 19580

Done: Pádraig Brady <P <at> draigBrady.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 19578 in the body.
You can then email your comments to 19578 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-coreutils <at> gnu.org:
bug#19578; Package coreutils. (Tue, 13 Jan 2015 05:49:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Zhaopeng Li <zpli <at> ustc.edu.cn>:
New bug report received and forwarded. Copy sent to bug-coreutils <at> gnu.org. (Tue, 13 Jan 2015 05:49:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Zhaopeng Li <zpli <at> ustc.edu.cn>
To: bug-coreutils <at> gnu.org
Subject: Memory leaks in coreutils/lib/locale_charset.c
Date: Tue, 13 Jan 2015 12:06:08 +0800

[Message part 1 (text/plain, inline)]
Platform: Ubuntu 14.10 64-bit
Coreutils Version 8.23



At line 534 of coreutils/lib/locale_charset.c, var ‘aliases' points to a buffer which is allocated using malloc() .

This buffer is not freed when codeset is still an empty string after the loop (Line 534~542).

So it will be leaked under such situation.



Line 533    /* Resolve alias. */
Line 534   for (aliases = get_charset_aliases ();
      	 	*aliases != '\0';
       		aliases += strlen (aliases) + 1, aliases += strlen (aliases) + 1)
   		 if (strcmp (codeset, aliases) == 0
       		 || (aliases[0] == '*' && aliases[1] == '\0'))
     		 {
      	 		 codeset = aliases + strlen (aliases) + 1;
       		 	break;
     		 }

  		/* Don't return an empty string.  GNU libc and GNU libiconv interpret
  		   the empty string as denoting "the locale's character encoding",
  		   thus GNU libiconv would call this function a second time.  */
  		if (codeset[0] == '\0')
  	 		 codeset = "ASCII";
[Message part 2 (text/html, inline)]
Information forwarded to bug-coreutils <at> gnu.org:
bug#19578; Package coreutils. (Tue, 13 Jan 2015 09:36:02 GMT) Full text and rfc822 format available.

Message #8 received at 19578 <at> debbugs.gnu.org (full text, mbox):

From: Daiki Ueno <ueno <at> gnu.org>
To: Zhaopeng Li <zpli <at> ustc.edu.cn>
Cc: 19578 <at> debbugs.gnu.org
Subject: Re: bug#19578: Memory leaks in coreutils/lib/locale_charset.c
Date: Tue, 13 Jan 2015 18:35:05 +0900

Zhaopeng Li <zpli <at> ustc.edu.cn> writes:

> At line 534 of coreutils/lib/locale_charset.c, var ‘aliases' points
> to a buffer which is allocated using malloc() .

> This buffer is not freed when codeset is still an empty string after
> the loop (Line 534~542).
>
> So it will be leaked under such situation.

> Line 533    /* Resolve alias. */
> Line 534   for (aliases = get_charset_aliases ();

I got the same error from clang-analyzer, but I think the leak is
intentional and harmless.  The return value of get_charset_aliases is
saved in a global variable charset_aliases and won't be allocated twice.

Regards,
--
Daiki Ueno
Information forwarded to bug-coreutils <at> gnu.org:
bug#19578; Package coreutils. (Tue, 13 Jan 2015 10:04:02 GMT) Full text and rfc822 format available.

Message #11 received at 19578 <at> debbugs.gnu.org (full text, mbox):

From: Pádraig Brady <P <at> draigBrady.com>
To: Zhaopeng Li <zpli <at> ustc.edu.cn>, 19578 <at> debbugs.gnu.org
Subject: Re: bug#19578: Memory leaks in coreutils/lib/locale_charset.c
Date: Tue, 13 Jan 2015 10:02:59 +0000

On 13/01/15 04:06, Zhaopeng Li wrote:
> Platform: Ubuntu 14.10 64-bit
> Coreutils Version 8.23
> 
> 
> 
> At line 534 of coreutils/lib/locale_charset.c, var ‘aliases' points to a buffer which is allocated using malloc() .
> 
> This buffer is not freed when codeset is still an empty string after the loop (Line 534~542).
> 
> So it will be leaked under such situation.
> 
> 
> 
> Line 533    /* Resolve alias. */
> Line 534   for (aliases = get_charset_aliases ();
>        *aliases != '\0';
>        aliases += strlen (aliases) + 1, aliases += strlen (aliases) + 1)
>    if (strcmp (codeset, aliases) == 0
>        || (aliases[0] == '*' && aliases[1] == '\0'))
>      {
>        codeset = aliases + strlen (aliases) + 1;
>        break;
>      }
> 
>   /* Don't return an empty string.  GNU libc and GNU libiconv interpret
>      the empty string as denoting "the locale's character encoding",
>      thus GNU libiconv would call this function a second time.  */
>   if (codeset[0] == '\0')
>    codeset = "ASCII";

What reports this leak?
Note that file name is not present in coreutils?
The code you're referring to is:
http://git.sv.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l588
Though aliases is never freed here, nor should it be.
What am I missing?

thanks,
Pádraig
Information forwarded to bug-coreutils <at> gnu.org:
bug#19578; Package coreutils. (Tue, 13 Jan 2015 10:08:02 GMT) Full text and rfc822 format available.

Message #14 received at 19578 <at> debbugs.gnu.org (full text, mbox):

From: Pádraig Brady <P <at> draigBrady.com>
To: Daiki Ueno <ueno <at> gnu.org>, Zhaopeng Li <zpli <at> ustc.edu.cn>
Cc: 19578 <at> debbugs.gnu.org
Subject: Re: bug#19578: Memory leaks in coreutils/lib/locale_charset.c
Date: Tue, 13 Jan 2015 10:07:16 +0000

tag 19578 notabug
close 19578
stop

On 13/01/15 09:35, Daiki Ueno wrote:
> Zhaopeng Li <zpli <at> ustc.edu.cn> writes:
> 
>> At line 534 of coreutils/lib/locale_charset.c, var ‘aliases' points
>> to a buffer which is allocated using malloc() .
> 
>> This buffer is not freed when codeset is still an empty string after
>> the loop (Line 534~542).
>>
>> So it will be leaked under such situation.
> 
>> Line 533    /* Resolve alias. */
>> Line 534   for (aliases = get_charset_aliases ();
> 
> I got the same error from clang-analyzer, but I think the leak is
> intentional and harmless.  The return value of get_charset_aliases is
> saved in a global variable charset_aliases and won't be allocated twice.

Thanks Daiki.
Closing for now.
Added tag(s) notabug. Request was from Pádraig Brady <P <at> draigBrady.com> to control <at> debbugs.gnu.org. (Tue, 13 Jan 2015 10:08:02 GMT) Full text and rfc822 format available.
bug closed, send any further explanations to 19578 <at> debbugs.gnu.org and Zhaopeng Li <zpli <at> ustc.edu.cn> Request was from Pádraig Brady <P <at> draigBrady.com> to control <at> debbugs.gnu.org. (Tue, 13 Jan 2015 10:08:03 GMT) Full text and rfc822 format available.
Information forwarded to bug-coreutils <at> gnu.org:
bug#19578; Package coreutils. (Tue, 13 Jan 2015 10:19:02 GMT) Full text and rfc822 format available.

Message #21 received at 19578 <at> debbugs.gnu.org (full text, mbox):

From: Zhaopeng Li <zpli <at> ustc.edu.cn>
To: 19578 <at> debbugs.gnu.org
Subject: the code
Date: Tue, 13 Jan 2015 18:17:57 +0800

[Message part 1 (text/plain, inline)]
At line 589 of coreutils/lib/locale_charset.c, var ‘aliases' points to a buffer which is allocated using malloc() .This buffer is not freed when codeset is still an empty string after the loop (Line 589~597).

So it will be leaked under such situation.
Our static analysis tool reports this problem.



 588 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l588>   /* Resolve alias. */
 589 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l589>   for (aliases = get_charset_aliases ();
 590 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l590>        *aliases != '\0';
 591 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l591>        aliases += strlen (aliases) + 1, aliases += strlen (aliases) + 1)
 592 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l592>     if (strcmp (codeset, aliases) == 0
 593 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l593>         || (aliases[0] == '*' && aliases[1] == '\0'))
 594 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l594>       {
 595 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l595>         codeset = aliases + strlen (aliases) + 1;
 596 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l596>         break;
 597 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l597>       }
 598 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l598> 
 599 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l599>   /* Don't return an empty string.  GNU libc and GNU libiconv interpret
 600 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l600>      the empty string as denoting "the locale's character encoding",
 601 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l601>      thus GNU libiconv would call this function a second time.  */
 602 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l602>   if (codeset[0] == '\0')
 603 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l603>     codeset = "ASCII”;
 604 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l604> 
 605 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l605> #ifdef DARWIN7
 606 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l606>   /* Mac OS X sets MB_CUR_MAX to 1 when LC_ALL=C, and "UTF-8"
 607 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l607>      (the default codeset) does not work when MB_CUR_MAX is 1.  */
 608 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l608>   if (strcmp (codeset, "UTF-8") == 0 && MB_CUR_MAX_L (uselocale (NULL)) <= 1)
 609 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l609>     codeset = "ASCII";
 610 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l610> #endif
 611 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l611> 
 612 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l612>   return codeset;
 613 <http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/localcharset.c;h=b4af28cd#l613> }
[Message part 2 (text/html, inline)]
Forcibly Merged 19578 19580. Request was from Pádraig Brady <P <at> draigBrady.com> to control <at> debbugs.gnu.org. (Tue, 13 Jan 2015 10:56:02 GMT) Full text and rfc822 format available.
bug closed, send any further explanations to 19580 <at> debbugs.gnu.org and Zhaopeng Li <zpli <at> ustc.edu.cn> Request was from Pádraig Brady <P <at> draigBrady.com> to control <at> debbugs.gnu.org. (Tue, 13 Jan 2015 11:16:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 10 Feb 2015 12:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 10 years and 136 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.