projects / pspp / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e157cc5)
sys-file-reader: Avoid null dereference skipping bad extension record 18.
authorBen Pfaff <blp@cs.stanford.edu>
Tue, 4 Jul 2017 16:54:47 +0000 (12:54 -0400)
committerBen Pfaff <blp@cs.stanford.edu>
Tue, 4 Jul 2017 16:55:04 +0000 (12:55 -0400)
read_record() assumed that read_extension_record() never set its output
argument to NULL when it returned true, but this is possible in an error
case.

CVE-2017-10792.
See also https://bugzilla.redhat.com/show_bug.cgi?id=1467005.
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866890.
See also https://security-tracker.debian.org/tracker/CVE-2017-10792.
Reported by team OWL337, with fuzzer collAFL.

src/data/sys-file-reader.c patch | blob | history

diff --git a/src/data/sys-file-reader.c b/src/data/sys-file-reader.c
index b49ccf785675639aa48dffd77a279e1e1d501a82..1745d1dcf2db165bf8c3f3f149bd405532e634f3 100644 (file)
--- a/src/data/sys-file-reader.c
+++ b/src/data/sys-file-reader.c
@@ -523,7 +523,7 @@ read_record (struct sfm_reader *r, int type,
              18.  I'm surprised that SPSS puts up with this. */
           struct sfm_extension_record *ext;
           bool ok = read_extension_record (r, subtype, &ext);
-          if (ok)
+          if (ok && ext)
             ll_push_tail (&r->var_attrs, &ext->ll);
           return ok;
         }
Unnamed repository; edit this file to name it for gitweb.