On Friday, 2021-06-18 at 19:36:55 +02, Bruno Haible wrote: > Darren Kenny wrote: >> All other instances of call to __argp_failure() where there is >> a dgettext() call first check whether the valie of state is NULL >> before attempting to dereference it to get the root_argp->argp_domain. >> >> This was originally found during a Coverity scan of GRUB2. > > Thanks. I confirm that that is a possible NULL dereference here. I've > applied your patch. > > The notation '(tiny change) is explained in > <https://www.gnu.org/prep/maintain/html_node/Legally-Significant.html>. > > > 2021-06-18 Darren Kenny <[email protected]> (tiny change) > > argp: Avoid possible NULL access in argp_help. > Reported by Coverity. The invocation chain is: > argp_help -> _help -> fill_in_uparams -> validate_uparams. > * lib/argp-help.c (validate_uparams): Don't crash if state == NULL. > > diff --git a/lib/argp-help.c b/lib/argp-help.c > index 4c89697..80cdb44 100644 > --- a/lib/argp-help.c > +++ b/lib/argp-help.c > @@ -147,7 +147,8 @@ validate_uparams (const struct argp_state *state, struct > uparams *upptr) > if (*(int *)((char *)upptr + up->uparams_offs) >= upptr->rmargin) > { > __argp_failure (state, 0, 0, > - dgettext (state->root_argp->argp_domain, > + dgettext (state == NULL ? NULL > + : state->root_argp->argp_domain, > "\ > ARGP_HELP_FMT: %s value is less than or equal to %s"), > "rmargin", up->name);
Thanks Bruno.
