* Sergio Gelato [2010-10-06 19:25:03 +0200]:
> However, that may not now be necessary. I've managed to convince myself
> that the fault occurs somewhere in 
> info/nodes.c:info_node_of_file_buffer_tags()
> --- more precisely in the (inlined) call to adjust_nodestart(). The pointer
> that causes the segfault when dereferenced is node_body.buffer[0]. A 
> comparison
> of the source code:
>   if (node_body.buffer[0] != INFO_COOKIE && min > 2)
>     node_body.buffer -= 3;
> with the disassembly I posted earlier should convince anyone. Note the
> #define INFO_COOKIE '\037'
> in info/nodes.h.

After looking a little more closely at the source code, I feel that the
contents of the *tag structure need some more sanity checking. Before
one sets
        node->contents    = subfile->contents + tag->nodestart;
it would be good to verify that 
        tag->nodestart >= 0 && tag->nodestart < subfile->filesize

I'm happy to let upstream figure out the best course of action when the
check fails; my own instinct would be to simply continue the for (i) loop
in case there is a valid tag of the same name later on.

I wouldn't be at all surprised to find more instances of missing input
validation in this code. A full audit would be nice.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to