Bug#715855: libeb16: patch to fix #715855 and other mayhem-detected crashes

Thu, 29 Jan 2015 07:23:16 -0800 

reassign 715855 libeb16
tags 715855 + patch
stop

The three bugs in libeb tools detected by "Mayhem" all have the same
cause: The function url_parts_parse() in eb/urlparts.c performs a
NULL-pointer dereference when trying to parse certain ill-formed ebook
URLs.

`hostport' is one of several local variables that url_parts_parse
initalises to NULL and then tries to match to particular parts of the
URL string. However, if the url string contains "//" and ends in "@",
the 'hostport' pointer is dereferenced even though it still has the
value NULL, which is causing the segfault.

You can reproduce the crash easily by running
$ ebfont "EBNET:// @"
(or passing a similar book URL to any of the other eb tools)

The following patch wraps the code that causes the NULL-pointer
dereference with a test that (hostport != NULL). The URL parsing code
in url_parts_parse() looks a little fragile though, there may be other
bugs.

I am reassigning the bug to libeb16, because url_parts_parse() is run
as a consequence of calling eb_bind(), which is part of the library
API.

Here is the patch:

--- a/eb/urlparts.c
+++ b/eb/urlparts.c
@@ -355,20 +355,22 @@ url_parts_parse(URL_Parts *parts, const char *url)
         * Get host and port.
         * IPv6 address is enclosed in `[' and `]'.
         */
-       if (*hostport == '[') {
-           right_bracket = strchr(hostport + 1, ']');
-           if (right_bracket == NULL)
-               separator = NULL;
-           else {
-               if (*(right_bracket + 1) == ':'
-                   || *(right_bracket + 1) == '\0') {
-                   hostport++;
-                   *right_bracket = '\0';
+       if (hostport != NULL) {
+               if (*hostport == '[') {
+                   right_bracket = strchr(hostport + 1, ']');
+                   if (right_bracket == NULL)
+                       separator = NULL;
+                   else {
+                       if (*(right_bracket + 1) == ':'
+                           || *(right_bracket + 1) == '\0') {
+                           hostport++;
+                           *right_bracket = '\0';
+                       }
+                       separator = strchr(right_bracket + 1, ':');
+                   }
+               } else {
+                   separator = strchr(hostport, ':');
                }
-               separator = strchr(right_bracket + 1, ':');
-           }
-       } else {
-           separator = strchr(hostport, ':');
        }
 
        if (separator != NULL) {


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to