[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
info crashes when selecting a node inside of an info file
From: |
Hilmar Preusse |
Subject: |
info crashes when selecting a node inside of an info file |
Date: |
Thu, 7 Oct 2010 10:59:33 +0200 |
User-agent: |
Mutt/1.5.20 (2009-12-10) |
Dear all,
http://bugs.debian.org/598932
Down here in the Debian bug tracking system we got a report telling
that info segfaults when selecting a node inside a specific info
file. The info file has been posted to the bug report^1 . The
submitter and I could reproduce the problem using the info file,
Norbert Preining could not.
The submitter generated some backtraces, finally had a look at the
source code and made the following statements:
<snip>
I've managed to convince myself that the fault occurs somewhere in
info/nodes.c:info_node_of_file_buffer_tags()
--- more precisely in the (inlined) call to adjust_nodestart(). The
pointer that causes the segfault when dereferenced is
node_body.buffer[0]. A comparison of the source code:
if (node_body.buffer[0] != INFO_COOKIE && min > 2)
node_body.buffer -= 3;
with the disassembly I posted earlier should convince anyone. Note
the
#define INFO_COOKIE '\037'
in info/nodes.h.
<snap>
and
<snip>
After looking a little more closely at the source code, I feel that
the contents of the *tag structure need some more sanity checking.
Before one sets
node->contents = subfile->contents + tag->nodestart;
it would be good to verify that
tag->nodestart >= 0 && tag->nodestart < subfile->filesize
I'm happy to let upstream figure out the best course of action when
the check fails; my own instinct would be to simply continue the for
(i) loop in case there is a valid tag of the same name later on.
I wouldn't be at all surprised to find more instances of missing
input validation in this code. A full audit would be nice.
<snap>
For reference here are the steps, which caused the segfaults:
To reproduce, get /usr/share/info/accounting.info.gz from version
6.4~pre1-6 of the acct package (see link below). Then run "info
accounting", navigate to the menu entry for dump-acct, and hit
Return.
Please comment on this.
Many thanks,
Hilmar PreuÃe
^1
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=accounting_stable.info.gz;att=1;bug=598932
--
http://www.hilmar-preusse.de.vu/
- info crashes when selecting a node inside of an info file,
Hilmar Preusse <=
- Re: info crashes when selecting a node inside of an info file, Sergey Poznyakoff, 2010/10/07
- Re: Bug#598932: info crashes when selecting a node inside of an info file, Hilmar Preusse, 2010/10/07
- Re: Bug#598932: info crashes when selecting a node inside of an info file, Sergey Poznyakoff, 2010/10/07
- Re: Bug#598932: info crashes when selecting a node inside of an info file, Norbert Preining, 2010/10/07
- Re: Bug#598932: info crashes when selecting a node inside of an info file, Norbert Preining, 2010/10/07
- Re: Bug#598932: info crashes when selecting a node inside of an info file, Hilmar Preusse, 2010/10/08
- Re: Bug#598932: info crashes when selecting a node inside of an info file, Norbert Preining, 2010/10/10
Re: Bug#598932: info crashes when selecting a node inside of an info file, Hilmar Preusse, 2010/10/07