From bf03b53a3c0f0d1066062f37919015a8fa6ad436 Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@cs.stanford.edu>
Date: Tue, 4 Jul 2017 12:54:47 -0400
Subject: [PATCH] sys-file-reader: Avoid null dereference skipping bad
 extension record 18.

read_record() assumed that read_extension_record() never set its output
argument to NULL when it returned true, but this is possible in an error
case.

CVE-2017-10792.
See also https://bugzilla.redhat.com/show_bug.cgi?id=1467005.
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866890.
See also https://security-tracker.debian.org/tracker/CVE-2017-10792.
Reported by team OWL337, with fuzzer collAFL.
---
 src/data/sys-file-reader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/data/sys-file-reader.c b/src/data/sys-file-reader.c
index b49ccf7856..1745d1dcf2 100644
--- a/src/data/sys-file-reader.c
+++ b/src/data/sys-file-reader.c
@@ -523,7 +523,7 @@ read_record (struct sfm_reader *r, int type,
              18.  I'm surprised that SPSS puts up with this. */
           struct sfm_extension_record *ext;
           bool ok = read_extension_record (r, subtype, &ext);
-          if (ok)
+          if (ok && ext)
             ll_push_tail (&r->var_attrs, &ext->ll);
           return ok;
         }
-- 
2.30.2