Bug#598932: /usr/bin/info segmentation fault

To: Hilmar Preusse <hille42@web.de>
Cc: Norbert Preining <preining@logic.at>, 598932@bugs.debian.org
Subject: Bug#598932: /usr/bin/info segmentation fault
From: Sergio Gelato <Sergio.Gelato@astro.su.se>
Date: Wed, 6 Oct 2010 20:13:25 +0200
Message-id: <20101006181325.GB23041@astro.su.se>
Reply-to: Sergio Gelato <Sergio.Gelato@astro.su.se>, 598932@bugs.debian.org
In-reply-to: <20101006172503.GA23041@astro.su.se>
References: <20101005201958.GA8798@preusse-16223.user.cis.dfn.de> <20101003103452.GA13753@astro.su.se> <20101005095437.GC11589@gamma.logic.tuwien.ac.at> <20101005132224.GA1924@PC23> <20101003103452.GA13753@astro.su.se> <20101005095437.GC11589@gamma.logic.tuwien.ac.at> <20101005112016.GH7115@hanuman.astro.su.se> <20101006012149.GB31199@gamma.logic.tuwien.ac.at> <20101006165104.GA6060@PC23> <20101006172503.GA23041@astro.su.se>

* Sergio Gelato [2010-10-06 19:25:03 +0200]:
> However, that may not now be necessary. I've managed to convince myself
> that the fault occurs somewhere in info/nodes.c:info_node_of_file_buffer_tags()
> --- more precisely in the (inlined) call to adjust_nodestart(). The pointer
> that causes the segfault when dereferenced is node_body.buffer[0]. A comparison
> of the source code:
>   if (node_body.buffer[0] != INFO_COOKIE && min > 2)
>     node_body.buffer -= 3;
> with the disassembly I posted earlier should convince anyone. Note the
> #define INFO_COOKIE '\037'
> in info/nodes.h.

After looking a little more closely at the source code, I feel that the
contents of the *tag structure need some more sanity checking. Before
one sets
	node->contents    = subfile->contents + tag->nodestart;
it would be good to verify that 
	tag->nodestart >= 0 && tag->nodestart < subfile->filesize

I'm happy to let upstream figure out the best course of action when the
check fails; my own instinct would be to simply continue the for (i) loop
in case there is a valid tag of the same name later on.

I wouldn't be at all surprised to find more instances of missing input
validation in this code. A full audit would be nice.

Reply to:

References:
- Bug#598932: /usr/bin/info segmentation fault
  - From: Hilmar Preuße <hille42@web.de>
- Bug#598932: /usr/bin/info segmentation fault
  - From: Sergio Gelato <Sergio.Gelato@astro.su.se>
- Bug#598932: /usr/bin/info segmentation fault
  - From: Norbert Preining <preining@logic.at>
- Bug#598932: /usr/bin/info segmentation fault
  - From: Hilmar Preusse <hille42@web.de>
- Bug#598932: /usr/bin/info segmentation fault
  - From: Sergio Gelato <Sergio.Gelato@astro.su.se>
- Bug#598932: /usr/bin/info segmentation fault
  - From: Norbert Preining <preining@logic.at>
- Bug#598932: /usr/bin/info segmentation fault
  - From: Hilmar Preusse <hille42@web.de>
- Bug#598932: /usr/bin/info segmentation fault
  - From: Sergio Gelato <Sergio.Gelato@astro.su.se>

Prev by Date: Bug#598932: /usr/bin/info segmentation fault
Next by Date: Bug#598932: info crashes when selecting a node inside of an info file
Previous by thread: Bug#598932: /usr/bin/info segmentation fault
Next by thread: Bug#598932: /usr/bin/info segmentation fault
Index(es):
- Date
- Thread