Bug#598932: info crashes when selecting a node inside of an info file

To: bug-texinfo@gnu.org
Cc: 598932@bugs.debian.org
Subject: Bug#598932: info crashes when selecting a node inside of an info file
From: Hilmar Preusse <hille42@web.de>
Date: Thu, 7 Oct 2010 10:59:33 +0200
Message-id: <20101007085933.GA3448@PC23>
Reply-to: Hilmar Preusse <hille42@web.de>, 598932@bugs.debian.org

Dear all,

http://bugs.debian.org/598932

Down here in the Debian bug tracking system we got a report telling
that info segfaults when selecting a node inside a specific info
file.  The info file has been posted to the bug report^1 .  The
submitter and I could reproduce the problem using the info file,
Norbert Preining could not.

The submitter generated some backtraces, finally had a look at the
source code and made the following statements:

<snip>
I've managed to convince myself that the fault occurs somewhere in
info/nodes.c:info_node_of_file_buffer_tags()

--- more precisely in the (inlined) call to adjust_nodestart(). The
pointer that causes the segfault when dereferenced is
node_body.buffer[0].  A comparison of the source code:

  if (node_body.buffer[0] != INFO_COOKIE && min > 2)
    node_body.buffer -= 3;

with the disassembly I posted earlier should convince anyone. Note
the

#define INFO_COOKIE '\037'

in info/nodes.h.
<snap>

and 

<snip>
After looking a little more closely at the source code, I feel that
the contents of the *tag structure need some more sanity checking. 
Before one sets

        node->contents    = subfile->contents + tag->nodestart;
it would be good to verify that
        tag->nodestart >= 0 && tag->nodestart < subfile->filesize

I'm happy to let upstream figure out the best course of action when
the check fails; my own instinct would be to simply continue the for
(i) loop in case there is a valid tag of the same name later on.

I wouldn't be at all surprised to find more instances of missing
input validation in this code.  A full audit would be nice.
<snap>

For reference here are the steps, which caused the segfaults:

To reproduce, get /usr/share/info/accounting.info.gz from version
6.4~pre1-6 of the acct package (see link below).  Then run "info
accounting", navigate to the menu entry for dump-acct, and hit
Return.

Please comment on this.

Many thanks,
  Hilmar PreuÃ?e

^1 http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=accounting_stable.info.gz;att=1;bug=598932
-- 
http://www.hilmar-preusse.de.vu/

Reply to:

Follow-Ups:
- Bug#598932: info crashes when selecting a node inside of an info file
  - From: Sergey Poznyakoff <gray@gnu.org.ua>

Prev by Date: Bug#598932: /usr/bin/info segmentation fault
Next by Date: Bug#598932: info crashes when selecting a node inside of an info file
Previous by thread: Processed: Re: Bug#598932: /usr/bin/info segmentation fault
Next by thread: Bug#598932: info crashes when selecting a node inside of an info file
Index(es):
- Date
- Thread