From 98f90d5547c9a69591cd24eb46f012ee96b2fa30 Mon Sep 17 00:00:00 2001 From: Ben Pfaff Date: Sat, 22 Sep 2018 21:36:10 -0700 Subject: [PATCH] sys-file-reader: Fix null deref on bad $@Role attribute. When a variable had a bad $@Role attribute, this was effectively read as an attribute without any values. This is the only way to produce such an attribute. The system file reader assumed that every attribute had at least one value and segfaulted if $@Role did not. This commit fixes both the ultimate cause of the segfault, by dropping attributes with no values, and the proximate cause, by ignoring $@Role attributes with no values. Either fix by itself would be sufficient to avoid the segfault. Thanks to Tianxiao Gu for reporting the problem. Bug #54687. --- src/data/sys-file-reader.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/data/sys-file-reader.c b/src/data/sys-file-reader.c index b2db755732..1b2d6c2131 100644 --- a/src/data/sys-file-reader.c +++ b/src/data/sys-file-reader.c @@ -2334,7 +2334,7 @@ parse_attributes (struct sfm_reader *r, struct text_record *text, if (text_match (text, ')')) break; } - if (attrs != NULL) + if (attrs != NULL && attribute_get_n_values (attr) > 0) { if (!attrset_try_add (attrs, attr)) { @@ -2388,7 +2388,7 @@ assign_variable_roles (struct sfm_reader *r, struct dictionary *dict) struct variable *var = dict_get_var (dict, i); struct attrset *attrs = var_get_attributes (var); const struct attribute *attr = attrset_lookup (attrs, "$@Role"); - if (attr != NULL) + if (attr != NULL && attribute_get_n_values (attr) > 0) { int value = atoi (attribute_get_value (attr, 0)); enum var_role role; -- 2.30.2