[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

info crashes when selecting a node inside of an info file

From: Hilmar Preusse
Subject: info crashes when selecting a node inside of an info file
Date: Thu, 7 Oct 2010 10:59:33 +0200
User-agent: Mutt/1.5.20 (2009-12-10)

Dear all,


Down here in the Debian bug tracking system we got a report telling
that info segfaults when selecting a node inside a specific info
file.  The info file has been posted to the bug report^1 .  The
submitter and I could reproduce the problem using the info file,
Norbert Preining could not.

The submitter generated some backtraces, finally had a look at the
source code and made the following statements:

I've managed to convince myself that the fault occurs somewhere in

--- more precisely in the (inlined) call to adjust_nodestart(). The
pointer that causes the segfault when dereferenced is
node_body.buffer[0].  A comparison of the source code:

  if (node_body.buffer[0] != INFO_COOKIE && min > 2)
    node_body.buffer -= 3;

with the disassembly I posted earlier should convince anyone. Note

#define INFO_COOKIE '\037'

in info/nodes.h.


After looking a little more closely at the source code, I feel that
the contents of the *tag structure need some more sanity checking. 
Before one sets

        node->contents    = subfile->contents + tag->nodestart;
it would be good to verify that
        tag->nodestart >= 0 && tag->nodestart < subfile->filesize

I'm happy to let upstream figure out the best course of action when
the check fails; my own instinct would be to simply continue the for
(i) loop in case there is a valid tag of the same name later on.

I wouldn't be at all surprised to find more instances of missing
input validation in this code.  A full audit would be nice.

For reference here are the steps, which caused the segfaults:

To reproduce, get /usr/share/info/accounting.info.gz from version
6.4~pre1-6 of the acct package (see link below).  Then run "info
accounting", navigate to the menu entry for dump-acct, and hit

Please comment on this.

Many thanks,
  Hilmar Preuße


reply via email to

[Prev in Thread] Current Thread [Next in Thread]