If I’ve followed this right, it’s a fairly regular leak and they were just really lucky that go 1.3 was forgiving about it. The code is hard to read with so many parameters and casts, but I suspect a simple test case would make it obvious where the allocation is and who is responsible for freeing it.
What if this leak exposes something sensitive?
Leaking memory is not a security issue at all.
[Comment removed by author]
This was my understanding as well. The thought that the Go GC would garbage collect your C libraries is terrifying and would be a massive security violation.
Just imagine if you could plug the Go GC into any C application. Would it work 100% of the time for 100% of the C code in existence?
It was hard to determine exactly how they broke it. I was looking for a normal, natural access pattern that lead inevitably to a leak.