Plug memory leaks identified by fuzzer+Valgrind

2021-10-20 00:27:14 -04:00 · 2021-10-20 00:27:14 -04:00 · b6d0566642
parent 41ad163c5b
commit b6d0566642
4 changed files with 33 additions and 2 deletions
--- a/crates/engine_xetex/xetex/xetex-ext.c
+++ b/crates/engine_xetex/xetex/xetex-ext.c
@ -218,6 +218,8 @@ load_mapping_file(const char* s, const char* e, char byteMapping)
            font_mapping_warning(buffer, strlen(buffer), 2); /* not loadable */
        else if (get_tracing_fonts_state() > 1)
            font_mapping_warning(buffer, strlen(buffer), 0); /* tracing */
+
+        free(mapping);
    } else {
        font_mapping_warning(buffer, strlen(buffer), 1); /* not found */
    }
--- a/crates/engine_xetex/xetex/xetex-ini.c
+++ b/crates/engine_xetex/xetex/xetex-ini.c
@ -3,6 +3,13 @@
   Licensed under the MIT License.
 */

+/* On Windows this can bring in a `#define INPUT` that clashes with
+ * xetex_format.h, so include it first and sanitize: */
+#include "teckit-c-Engine.h"
+#ifdef INPUT
+#undef INPUT
+#endif
+
 #include "xetex-core.h"
 #include "xetex-xetexd.h"
 #include "xetex-synctex.h"
@ -2764,7 +2771,7 @@ load_fmt_file(void)

    font_ptr = x;

-    font_mapping = xmalloc_array(void *, font_max);
+    font_mapping = xcalloc_array(void *, font_max);
    font_layout_engine = xcalloc_array(void *, font_max);
    font_flags = xmalloc_array(char, font_max);
    font_letter_space = xmalloc_array(scaled_t, font_max);
@ -3508,6 +3515,11 @@ tt_cleanup(void) {
            release_font_engine(font_layout_engine[font_k], font_area[font_k]);
            font_layout_engine[font_k] = NULL;
        }
+
+        if (font_mapping[font_k] != NULL) {
+            TECkit_DisposeConverter((TECkit_Converter) font_mapping[font_k]);
+            font_mapping[font_k] = NULL;
+        }
    }

    for (int i = 1; i <= in_open; i++) {
--- a/crates/pdf_io/pdf_io/dpx-pdfdraw.c
+++ b/crates/pdf_io/pdf_io/dpx-pdfdraw.c
@ -878,7 +878,7 @@ typedef struct pdf_gstate_
  pdf_obj *extgstate;
 } pdf_gstate;

-static dpx_stack gs_stack;
+static dpx_stack gs_stack = { 0, NULL, NULL };

 static void
 init_a_gstate (pdf_gstate *gs)
@ -1112,6 +1112,16 @@ pdf_dev_init_gstates (void)
 {
  pdf_gstate *gs;

+  /* Tectonic: this function is called twice in the xdvipdfmx driver init,
+   * resulting in a small amount of leaked memory. We statically initialize the
+   * stack variable to make it possible to safely avoid the leak in this
+   * situation. */
+
+  while ((gs = dpx_stack_pop(&gs_stack)) != NULL) {
+    clear_a_gstate(gs);
+    free(gs);
+  }
+
  dpx_stack_init(&gs_stack);

  gs = NEW(1, pdf_gstate);
--- a/fuzz/run-fuzzer.sh
+++ b/fuzz/run-fuzzer.sh
@ -1,4 +1,11 @@
 #!/usr/bin/env bash
+
+# NOTE: install `llvm-dev` or whichever package provides `llvm-symbolizer` if
+# you want your stack traces to have any useful information! Otherwise none of
+# the binary addresses are decoded when the fuzzer finds problems. You may also
+# need to add the `-D` flag to `cargo fuzz run` to get more meaningful
+# backtraces, at the expense of the fuzzer running much slower.
+
 set -e
 set -o pipefail
 HERE="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"