Hi, I've attached a file that will segfault if passed to info (with -f [input]). The reason is a null pointer access in the function info_get_node_of_file_buffer(). I'll also attach a proposed patch to fix it.
This bug was found with the help of the tool american fuzzy lop.
Here's a stack trace from address sanitizer of the bug:
==20372==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x00000047ae43 bp 0x7fff49e63fd0 sp 0x7fff49e63750 T0)
#0 0x47ae42 in __interceptor_strcmp
(/mnt/ram/texinfo-6.3/info/ginfo+0x47ae42)
#1 0x53aa63 in info_get_node_of_file_buffer
/mnt/ram/texinfo-6.3/info/nodes.c:1105:13
#2 0x53a419 in info_get_node_with_defaults
/mnt/ram/texinfo-6.3/info/nodes.c:988:14
#3 0x55df11 in dump_node_to_stream
/mnt/ram/texinfo-6.3/info/session.c:3765:10
#4 0x55dc52 in dump_nodes_to_file
/mnt/ram/texinfo-6.3/info/session.c:3728:11
#5 0x521cbf in main /mnt/ram/texinfo-6.3/info/info.c:1029:7
#6 0x7f668147e6ff in __libc_start_main
/var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
#7 0x41ab08 in _start (/mnt/ram/texinfo-6.3/info/ginfo+0x41ab08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/mnt/ram/texinfo-6.3/info/ginfo+0x47ae42) in
__interceptor_strcmp
==20372==ABORTING
--
Hanno Böck
https://hboeck.de/
mail/jabber: [email protected]
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
texinfo-nullptr-info_get_node_of_file_buffer.info
Description: Binary data
--- texinfo-6.3-orig/info/nodes.c 2016-09-07 02:43:16.000000000 +0200
+++ texinfo-6.3/info/nodes.c 2016-10-02 16:11:10.568140803 +0200
@@ -1102,7 +1102,7 @@
return NULL;
for (i = 0; (tag = file_buffer->tags[i]); i++)
- if (strcmp (nodename, tag->nodename) == 0)
+ if ((tag->nodename != NULL) && (strcmp (nodename, tag->nodename) == 0))
{
node = info_node_of_tag (file_buffer, &file_buffer->tags[i]);
break;
pgpkJ7ZlSGKeC.pgp
Description: OpenPGP digital signature
