gdk-pixbuf: fix memory leaks and API misuse in pixbuf_cons_fuzzer (google#15080)

OwenSanzas · DavidKorczynski · web-flow · commit e244e64313bb · 2026-03-23T08:53:46.000Z
## Summary This is **not** a bug in gdk-pixbuf. It is a bug in the fuzz harness `pixbuf_cons_fuzzer` that causes **memory leaks** (1704 bytes in 8 allocations per iteration) detectable by LeakSanitizer, and an **API contract violation** (`gdk_pixbuf_scale` with same src and dest). ### False Positive Impact If left unfixed, any leak report from this fuzzer will be a **false positive** — the leaks originate in the harness, not in gdk-pixbuf. This can lead to: - **Wasted developer time**: Maintainers investigating leak reports that are not real gdk-pixbuf bugs - **Noise in OSS-Fuzz dashboards**: Persistent unfixed "bugs" that are actually harness defects - **Amplified impact in the AI era**: AI-assisted fuzzing tools increasingly reference existing OSS-Fuzz harnesses as ground truth. A buggy harness pattern can be copied and propagated by LLM-based harness generators, multiplying false positives across downstream projects ### Bugs Fixed **P1 (Harness Logic)**: Multiple intermediate `GdkPixbuf` objects leaked — `tmp` is overwritten repeatedly without freeing previous values: ```c tmp = gdk_pixbuf_rotate_simple(pixbuf, rot_amount * 90); // rotated leaked tmp = gdk_pixbuf_flip(pixbuf, TRUE); // flipped leaked tmp = gdk_pixbuf_composite_color_simple(pixbuf, ...); // composite leaked ``` Also, `GBytes` from `g_bytes_new_static()` is never freed. **P2 (API Protocol)**: `gdk_pixbuf_scale(pixbuf, pixbuf, ...)` uses the same pixbuf as both source and destination. The [API documentation](https://docs.gtk.org/gdk-pixbuf/method.Pixbuf.scale.html) requires they be different. ### LSan Report ``` ==14==ERROR: LeakSanitizer: detected memory leaks Direct leak of 96 byte(s) in 1 object(s) allocated from: #0 calloc #1 g_malloc0 (gmem.c:133) ... #5 gdk_pixbuf_new_from_data (gdk-pixbuf-data.c:79) #6 LLVMFuzzerTestOneInput (pixbuf_cons_fuzzer.c:65) SUMMARY: AddressSanitizer: 1704 byte(s) leaked in 8 allocation(s). ``` The leak triggers on the **first seed corpus input** and is 100% reproducible. ### Fix 1. Free each intermediate `tmp` with `g_object_unref()` before reassignment 2. Add `g_bytes_unref(bytes)` on all paths 3. Replace `gdk_pixbuf_scale(src==dest)` with `gdk_pixbuf_scale_simple()` Co-authored-by: DavidKorczynski <david@adalogics.com>
diff --git a/projects/gdk-pixbuf/targets/pixbuf_cons_fuzzer.c b/projects/gdk-pixbuf/targets/pixbuf_cons_fuzzer.c
@@ -24,7 +24,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
         return 0;
     }
     const gchar *profile;
-    GdkPixbuf *pixbuf, *tmp;
+    GdkPixbuf *pixbuf, *tmp, *tmp2;
     GBytes *bytes;
     bytes = g_bytes_new_static(data, size);
     pixbuf = g_object_new(GDK_TYPE_PIXBUF,
@@ -36,25 +36,32 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
             "pixel-bytes", bytes,
             NULL);
     if (pixbuf == NULL) {
+        g_bytes_unref(bytes);
         return 0;
     }
-    gdk_pixbuf_scale(pixbuf, pixbuf,
-            0, 0, 
-            gdk_pixbuf_get_width(pixbuf) / 4, 
+
+    tmp = gdk_pixbuf_scale_simple(pixbuf,
+            gdk_pixbuf_get_width(pixbuf) / 4,
             gdk_pixbuf_get_height(pixbuf) / 4,
-            0, 0, 0.5, 0.5,
             GDK_INTERP_NEAREST);
+    if (tmp) g_object_unref(tmp);
+
     unsigned int rot_amount = ((unsigned int) data[0]) % 4;
     tmp = gdk_pixbuf_rotate_simple(pixbuf, rot_amount * 90);
+    if (tmp) g_object_unref(tmp);
+
     tmp = gdk_pixbuf_flip(pixbuf, TRUE);
+    if (tmp) g_object_unref(tmp);
+
     tmp = gdk_pixbuf_composite_color_simple(pixbuf,
-            gdk_pixbuf_get_width(pixbuf) / 4, 
+            gdk_pixbuf_get_width(pixbuf) / 4,
             gdk_pixbuf_get_height(pixbuf) / 4,
             GDK_INTERP_NEAREST,
             128,
             8,
             G_MAXUINT32,
             G_MAXUINT32/2);
+    if (tmp) g_object_unref(tmp);
 
     char *buf = (char *) calloc(size + 1, sizeof(char));
     memcpy(buf, data, size);
@@ -66,15 +73,17 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
             GDK_COLORSPACE_RGB,
             FALSE,
             gdk_pixbuf_get_bits_per_sample(pixbuf),
-            gdk_pixbuf_get_width(pixbuf), 
+            gdk_pixbuf_get_width(pixbuf),
             gdk_pixbuf_get_height(pixbuf),
             gdk_pixbuf_get_rowstride(pixbuf),
             NULL,
             NULL);
-    tmp = gdk_pixbuf_flip(tmp, TRUE);
+    tmp2 = gdk_pixbuf_flip(tmp, TRUE);
+    if (tmp) g_object_unref(tmp);
 
     free(buf);
+    g_bytes_unref(bytes);
     g_object_unref(pixbuf);
-    g_object_unref(tmp);
+    if (tmp2) g_object_unref(tmp2);
     return 0;
 }
