From: Ben Pfaff <blp@cs.stanford.edu>
Date: Sun, 23 Sep 2018 04:36:10 +0000 (-0700)
Subject: sys-file-reader: Fix null deref on bad $@Role attribute.
X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=98f90d5547c9a69591cd24eb46f012ee96b2fa30;p=pspp

sys-file-reader: Fix null deref on bad $@Role attribute.

When a variable had a bad $@Role attribute, this was effectively read as
an attribute without any values.  This is the only way to produce such an
attribute.  The system file reader assumed that every attribute had at
least one value and segfaulted if $@Role did not.

This commit fixes both the ultimate cause of the segfault, by dropping
attributes with no values, and the proximate cause, by ignoring $@Role
attributes with no values.  Either fix by itself would be sufficient to
avoid the segfault.

Thanks to Tianxiao Gu for reporting the problem.
Bug #54687.
---

diff --git a/src/data/sys-file-reader.c b/src/data/sys-file-reader.c
index b2db755732..1b2d6c2131 100644
--- a/src/data/sys-file-reader.c
+++ b/src/data/sys-file-reader.c
@@ -2334,7 +2334,7 @@ parse_attributes (struct sfm_reader *r, struct text_record *text,
           if (text_match (text, ')'))
             break;
         }
-      if (attrs != NULL)
+      if (attrs != NULL && attribute_get_n_values (attr) > 0)
         {
           if (!attrset_try_add (attrs, attr))
             {
@@ -2388,7 +2388,7 @@ assign_variable_roles (struct sfm_reader *r, struct dictionary *dict)
       struct variable *var = dict_get_var (dict, i);
       struct attrset *attrs = var_get_attributes (var);
       const struct attribute *attr = attrset_lookup (attrs, "$@Role");
-      if (attr != NULL)
+      if (attr != NULL && attribute_get_n_values (attr) > 0)
         {
           int value = atoi (attribute_get_value (attr, 0));
           enum var_role role;