From: Ben Pfaff <blp@cs.stanford.edu>
Date: Tue, 4 Jul 2017 16:54:47 +0000 (-0400)
Subject: sys-file-reader: Avoid null dereference skipping bad extension record 18.
X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf03b53a3c0f0d1066062f37919015a8fa6ad436;p=pspp

sys-file-reader: Avoid null dereference skipping bad extension record 18.

read_record() assumed that read_extension_record() never set its output
argument to NULL when it returned true, but this is possible in an error
case.

CVE-2017-10792.
See also https://bugzilla.redhat.com/show_bug.cgi?id=1467005.
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866890.
See also https://security-tracker.debian.org/tracker/CVE-2017-10792.
Reported by team OWL337, with fuzzer collAFL.
---

diff --git a/src/data/sys-file-reader.c b/src/data/sys-file-reader.c
index b49ccf7856..1745d1dcf2 100644
--- a/src/data/sys-file-reader.c
+++ b/src/data/sys-file-reader.c
@@ -523,7 +523,7 @@ read_record (struct sfm_reader *r, int type,
              18.  I'm surprised that SPSS puts up with this. */
           struct sfm_extension_record *ext;
           bool ok = read_extension_record (r, subtype, &ext);
-          if (ok)
+          if (ok && ext)
             ll_push_tail (&r->var_attrs, &ext->ll);
           return ok;
         }