First, I must admit that I cannot write issues in English very well. The following content was generated with the help of AI, and I hope it helps you:
While fuzzing milo-parser, I found a memory leak during HTTP parsing.
All the leak artifacts I found (leak-* files) share the same root cause, so this is one single issue.
The leak happens in the error path:
22 bytes leaked
Location: src/lib.rs:240 in fail()
Trigger: invalid HTTP message
This is not a security vulnerability, but it is a resource leak that could cause long-running processes to consume more memory over time.
Found these leak inputs during fuzzing:
leak-2ad153b35438e03d2ec04e1969390f124c5a3cd6
leak-34175a8932cc5fef44ac47dc73bddbe6bd383116
leak-e806ef6780721bc888c02f3f209a473bf70446af
All are the same bug, just different inputs triggering the same code path.
Test case (hex dump):
1.leak-2ad153b35438e03d2ec04e1969390f124c5a3cd6
00000000: 4745 5420 2f0d 0a0d 0a GET /....
2.leak-e806ef6780721bc888c02f3f209a473bf70446af
00000000: 4854 5450 2f0d 48 HTTP/.H
3.leak-34175a8932cc5fef44ac47dc73bddbe6bd383116
00000000: 4854 5450 2f0d 0a HTTP/..
Minimal example input that triggers the leak:
GET /\r\n\r\n
First, I must admit that I cannot write issues in English very well. The following content was generated with the help of AI, and I hope it helps you:
While fuzzing milo-parser, I found a memory leak during HTTP parsing.
All the leak artifacts I found (leak-* files) share the same root cause, so this is one single issue.
The leak happens in the error path:
22 bytes leaked
Location: src/lib.rs:240 in fail()
Trigger: invalid HTTP message
This is not a security vulnerability, but it is a resource leak that could cause long-running processes to consume more memory over time.
Found these leak inputs during fuzzing:
leak-2ad153b35438e03d2ec04e1969390f124c5a3cd6
leak-34175a8932cc5fef44ac47dc73bddbe6bd383116
leak-e806ef6780721bc888c02f3f209a473bf70446af
All are the same bug, just different inputs triggering the same code path.
Test case (hex dump):
1.leak-2ad153b35438e03d2ec04e1969390f124c5a3cd6
00000000: 4745 5420 2f0d 0a0d 0a GET /....
2.leak-e806ef6780721bc888c02f3f209a473bf70446af
00000000: 4854 5450 2f0d 48 HTTP/.H
3.leak-34175a8932cc5fef44ac47dc73bddbe6bd383116
00000000: 4854 5450 2f0d 0a HTTP/..
Minimal example input that triggers the leak:
GET /\r\n\r\n