heap-use-after-free in `lys_parse_path`

[gabe-sherman]

Hello, in the below program, a heap-use-after-free occurs as a result of calling lys_parse_path. This occurs in the lysp_ext_instance_path_stmt_append_r function at location tree_schema.c:1700.

Minimal Reproducer

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include "libyang.h"
int main(int argc, char *argv[])
{
    struct ly_ctx *ctx = NULL;
    struct lys_module *module = NULL;
    LYS_INFORMAT format = LYS_IN_YANG; 

    ly_ctx_new(NULL, 0, &ctx);
    lys_parse_path(ctx, argv[1], LYS_IN_YANG, &module);
    return 0;
}

Input File

https://github.com/FuturesLab/Library_Bugs/blob/main/libyang/1

Commit

f302d86 (version 5.4.9)

ASAN Trace

==326937==ERROR: AddressSanitizer: heap-use-after-free on address 0x7c01735e8b50 at pc 0x558b521545d7 bp 0x7ffdbfc06830 sp 0x7ffdbfc06828
READ of size 8 at 0x7c01735e8b50 thread T0
    #0 0x558b521545d6 in lysp_ext_instance_path_stmt_append_r /local_src/libyang/build_artifacts/code/src/tree_schema.c:1700:107
    #1 0x558b5215307e in lysp_ext_instance_path /local_src/libyang/build_artifacts/code/src/tree_schema.c:1826:22
    #2 0x558b52177914 in lysp_ext_find_definition /local_src/libyang/build_artifacts/code/src/tree_schema_common.c:2285:22
    #3 0x558b5215fcfd in lysp_resolve_ext_instance_records /local_src/libyang/build_artifacts/code/src/tree_schema.c:1890:26
    #4 0x558b521563e5 in lys_parse_in /local_src/libyang/build_artifacts/code/src/tree_schema.c:2758:24
    #5 0x558b52160d1b in lys_parse /local_src/libyang/build_artifacts/code/src/tree_schema.c:2840:11
    #6 0x558b5216147f in lys_parse_path /local_src/libyang/build_artifacts/code/src/tree_schema.c:2914:11
    #7 0x558b520a0cf4 in main /bugs/libyang/./harness/1/harness.c:12:5
    #8 0x7f9174229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7f9174229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #10 0x558b51fb8724 in _start (/bugs/libyang/harness/1/harness+0x85724) (BuildId: 1586a382956ccacc62cac8475d37eaa2a9b92cd5)

0x7c01735e8b50 is located 16 bytes inside of 72-byte region [0x7c01735e8b40,0x7c01735e8b88)
freed by thread T0 here:
    #0 0x558b5205defc in realloc (/bugs/libyang/harness/1/harness+0x12aefc) (BuildId: 1586a382956ccacc62cac8475d37eaa2a9b92cd5)
    #1 0x558b521b99e6 in parse_import /local_src/libyang/build_artifacts/code/src/parser_yang.c:1306:5

previously allocated by thread T0 here:
    #0 0x558b5205db04 in malloc (/bugs/libyang/harness/1/harness+0x12ab04) (BuildId: 1586a382956ccacc62cac8475d37eaa2a9b92cd5)
    #1 0x558b521b9acf in parse_import /local_src/libyang/build_artifacts/code/src/parser_yang.c:1306:5

SUMMARY: AddressSanitizer: heap-use-after-free /local_src/libyang/build_artifacts/code/src/tree_schema.c:1700:107 in lysp_ext_instance_path_stmt_append_r
Shadow bytes around the buggy address:
  0x7c01735e8880: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x7c01735e8900: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x7c01735e8980: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
  0x7c01735e8a00: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x7c01735e8a80: fd fd fd fd fd fd fa fa fa fa 00 00 00 00 00 00
=>0x7c01735e8b00: 00 00 00 fa fa fa fa fa fd fd[fd]fd fd fd fd fd
  0x7c01735e8b80: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
  0x7c01735e8c00: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
  0x7c01735e8c80: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x7c01735e8d00: 00 00 00 00 00 00 00 00 06 fa fa fa fa fa 00 00
  0x7c01735e8d80: 00 00 00 00 00 00 00 06 fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==326937==ABORTING