Package: bc
Version: 1.06.95-9
Severity: normal
Tags: upstream patch
I've been letting american fuzzy lop (afl) have a go at bc, and it found
a way to crash bc. Here is a minimal input that causes a crash:
0b
&0&&&0
The crash happens in execute.c line 138, where it tries to dereference
gp which can be a NULL pointer. Attached is a patch with a fix.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.2.0-1-amd64 (SMP w/12 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages bc depends on:
ii libc6 2.19-22
ii libreadline6 6.3-8+b3
ii libtinfo5 6.0+20151024-2
bc recommends no packages.
bc suggests no packages.
-- no debconf information
Index: bc-1.06.95/bc/execute.c
===================================================================
--- bc-1.06.95.orig/bc/execute.c
+++ bc-1.06.95/bc/execute.c
@@ -134,7 +134,11 @@ execute ()
gp = functions[pc.pc_func].f_label;
l_gp = label_num >> BC_LABEL_LOG;
l_off = label_num % BC_LABEL_GROUP;
- while (l_gp-- > 0) gp = gp->l_next;
+ while (gp && l_gp-- > 0) gp = gp->l_next;
+ if (!gp) {
+ rt_error ("No label group for label %d.", label_num);
+ break;
+ }
pc.pc_addr = gp->l_adrs[l_off];
}
break;
