[geos-devel] [GEOS] #830: Possible memory leak in WKTReader with partial MULTIPOLYGON

Tue Apr 11 14:41:47 PDT 2017

#830: Possible memory leak in WKTReader with partial MULTIPOLYGON
------------------------+--------------------------
 Reporter:  goatbar     |      Owner:  geos-devel@…
     Type:  defect      |     Status:  new
 Priority:  minor       |  Milestone:
Component:  Default     |    Version:  3.5.0
 Severity:  Unassigned  |   Keywords:  wkt fuzzing
------------------------+--------------------------
 Seeing this with llvm fuzzing with ASAN and geos 3.5.0.

 Am I doing something wrong with the API or is this a bug with WKTReader
 not cleaning up in the case of an exception?

 Given this input string:
 {{{
 MULTIPOLYGON(
 }}}
 And this code:
 {{{#!c++
 // Copyright 2017 Google Inc. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
 implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 #include <stddef.h>
 #include <stdint.h>
 #include <string>

 #include "third_party/geos/include/geos/geom/CoordinateSequence.h"
 #include "third_party/geos/include/geos/geom/Geometry.h"
 #include "third_party/geos/include/geos/io/WKTReader.h"

 typedef std::unique_ptr<geos::geom::Geometry> GeomPtr;
 typedef std::unique_ptr<geos::geom::CoordinateSequence> CoordSeqPtr;

 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   // Ensure there is a NUL at the end of the data passed to the reader.
   const std::string s(reinterpret_cast<const char *>(data), size);

   try {
     geos::io::WKTReader reader;
     GeomPtr geom(reader.read(s));
     CoordSeqPtr coords(geom->getCoordinates());
     coords->getDimension();
   } catch (...) {
     // NOP
   }

   return 0;
 }
 }}}

 {{{
 Running: leak-1c9d82726612fdd23af7740675fa675af0cebe0f

 =================================================================
 ==23962==ERROR: LeakSanitizer: detected memory leaks

 Direct leak of 24 byte(s) in 1 object(s) allocated from:
     #0 0x500942 in operator new(unsigned long)
 third_party/llvm/llvm/projects/compiler-
 rt/lib/asan/asan_new_delete.cc:82:35
     #1 0x66cffc in
 geos::io::WKTReader::readMultiPolygonText(geos::io::StringTokenizer*)
 third_party/geos/geos-3.5.0/src/io/WKTReader.cpp:422:31
     #2 0x668ced in
 geos::io::WKTReader::readGeometryTaggedText(geos::io::StringTokenizer*)
 third_party/geos/geos-3.5.0/src/io/WKTReader.cpp:240:10
     #3 0x668784 in geos::io::WKTReader::read(std::string const&)
 third_party/geos/geos-3.5.0/src/io/WKTReader.cpp:67:4
     #4 0x5037a3 in LLVMFuzzerTestOneInput
 third_party/geos/tests/io/wktreader_fuzzer.cc:33:23

 SUMMARY: AddressSanitizer: 24 byte(s) leaked in 1 allocation(s).
 }}}

--
Ticket URL: <https://trac.osgeo.org/geos/ticket/830>
GEOS <http://trac.osgeo.org/geos>
GEOS (Geometry Engine - Open Source) is a C++ port of the Java Topology Suite (JTS).