* Sergio Gelato [2010-10-06 19:25:03 +0200]: > However, that may not now be necessary. I've managed to convince myself > that the fault occurs somewhere in > info/nodes.c:info_node_of_file_buffer_tags() > --- more precisely in the (inlined) call to adjust_nodestart(). The pointer > that causes the segfault when dereferenced is node_body.buffer[0]. A > comparison > of the source code: > if (node_body.buffer[0] != INFO_COOKIE && min > 2) > node_body.buffer -= 3; > with the disassembly I posted earlier should convince anyone. Note the > #define INFO_COOKIE '\037' > in info/nodes.h.
After looking a little more closely at the source code, I feel that the contents of the *tag structure need some more sanity checking. Before one sets node->contents = subfile->contents + tag->nodestart; it would be good to verify that tag->nodestart >= 0 && tag->nodestart < subfile->filesize I'm happy to let upstream figure out the best course of action when the check fails; my own instinct would be to simply continue the for (i) loop in case there is a valid tag of the same name later on. I wouldn't be at all surprised to find more instances of missing input validation in this code. A full audit would be nice. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org