fixed leaks in CHOICE/XER and REAL conversion

ChangeLog

@@ -5,6 +5,8 @@
     * Added IEEE 1609.2 example.
     * Added SAE J2735 example.
     * CVE-2017-12966 verified not present.
+    * Fix incomplete (failed) CHOICE XER decoding memory leak.
+    * Fix REAL type overwrite conversion memory leak.
 
 0.9.28: 2017-03-26
     * PER decoding: avoid memory leak on error. By github.com/simo5

skeletons/REAL.c

@@ -694,6 +694,7 @@ asn_double2REAL(REAL_t *st, double dbl_value) {
 		if(!st->buf || st->size < 2) {
 			ptr = (uint8_t *)MALLOC(2);
 			if(!ptr) return -1;
+			if(st->buf) FREEMEM(st->buf);
 			st->buf = ptr;
 		}
 		/* fpclassify(3) is not portable yet */
@@ -717,6 +718,7 @@ asn_double2REAL(REAL_t *st, double dbl_value) {
 			} else {
 				/* Negative zero. #8.5.3, 8.5.9 */
 				st->buf[0] = 0x43;
+				st->buf[1] = 0;
 				st->size = 1;
 			}
 		}

skeletons/constr_CHOICE.c

@@ -605,6 +605,7 @@ CHOICE_decode_xer(const asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *t
 			asn_dec_rval_t tmprval;
 			void *memb_ptr;		/* Pointer to the member */
 			void **memb_ptr2;	/* Pointer to that pointer */
+			unsigned old_present;
 
 			elm = &td->elements[edx];
 
@@ -624,13 +625,14 @@ CHOICE_decode_xer(const asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *t
 			XER_ADVANCE(tmprval.consumed);
 			ASN_DEBUG("XER/CHOICE: itdf: [%s] code=%d",
 				elm->type->name, tmprval.code);
-			if(tmprval.code != RC_OK)
-				RETURN(tmprval.code);
-			assert(_fetch_present_idx(st,
-				specs->pres_offset, specs->pres_size) == 0);
+			old_present = _fetch_present_idx(st,
+				specs->pres_offset, specs->pres_size);
+			assert(old_present == 0 || old_present == edx + 1);
 			/* Record what we've got */
 			_set_present_idx(st,
 				specs->pres_offset, specs->pres_size, edx + 1);
+			if(tmprval.code != RC_OK)
+				RETURN(tmprval.code);
 			ctx->phase = 3;
 			/* Fall through */
 		}

tests/tests-c-compiler/check-assembly.sh

@@ -123,7 +123,7 @@ cat <<TARGETS >> "${testdir}/Makefile.targets"
 check-fuzzer:
 TARGETS
 else
-    CHECK_FUZZER="UBSAN_OPTIONS=print_stacktrace=1 ./check-fuzzer -timeout=3 -max_total_time=60 -max_len=512 -detect_leaks=1 ${OPT_DATA_DIR}"
+    CHECK_FUZZER="ASAN_OPTIONS=detect_leaks=1 UBSAN_OPTIONS=print_stacktrace=1 ./check-fuzzer -timeout=3 -max_total_time=60 -max_len=512 ${OPT_DATA_DIR}"
 cat <<TARGETS >> "${testdir}/Makefile.targets"
 check-fuzzer: \$(OBJS)
 	rm -f ${source_obj}
@@ -140,9 +140,13 @@ check-succeeded: compiled-module
 	\$(MAKE) check-fuzzer
 	@rm -f check-succeeded
 	./check-executable
-	${CHECK_FUZZER}
+	\$(MAKE) fuzz
 	@touch check-succeeded
 
+.PHONY: fuzz
+fuzz:
+	${CHECK_FUZZER}
+
 check: check-succeeded
 
 clean:

tests/tests-skeletons/Makefile.am

@@ -26,3 +26,4 @@ AM_LDFLAGS = $(top_builddir)/skeletons/libasn1cskeletons.la
 LDADD = -lm
 
 TESTS = $(check_PROGRAMS)
+TESTS_ENVIRONMENT= ASAN_OPTIONS=detect_leaks=1 UBSAN_OPTIONS=print_stacktrace=1