HTACG Tidy-HTML5 Memory Leak Vulnerability in Alloc Function

A memory leak vulnerability has been identified in HTACG Tidy-HTML5 version 5.8.0. The issue arises in the 'defaultAlloc' function within 'src/alloc.c', where the program fails to properly manage and release allocated memory. This flaw can be exploited locally, leading to a gradual consumption of available memory and causing a denial-of-service condition.

Impact

Exploitation of this vulnerability causes a memory leak, where the application fails to release allocated memory, leading to increased memory usage and potential exhaustion of system resources.

Reproduction

The vulnerability can be reproduced using a fuzzing harness that is part of the Google OSS-Fuzz project. The steps involve compiling Tidy-HTML5 with Clang, using AddressSanitizer to detect memory leaks, and then running the fuzzer with a specially crafted input that triggers the leak. The fuzzing harness is available on GitHub as part of the OSS-Fuzz repository.