lftp-4.9.2 handles redirected input file with null pointer access (xlist<Job>::get_next (this=0x0) at xlist.h:67)

[liever18]

When we use the c001 file as the input of lftp, first the program will enter the local ftp folder path, which is already an abnormal behavior, and then the program will segfault after processing an unknown command

$ ./lftp < c001
/home/fujx/Downloads/lftp-4.9.2
Unknown command `Utftp'.
Segmentation fault

c001 is a hex file

$ xxd c001
00000000: 6c70 201b 2655 7466 7470 0a              lp .&Utftp.

The specific reason is to access a pointer to 0x0(this = 0x0, so can't access 'this->next')

Program received signal SIGSEGV, Segmentation fault.
0x0000000000474fc0 in xlist<Job>::get_next (this=0x0) at xlist.h:67
67     xlist<T> *get_next() const { return next; }
(gdb) bt
#0  0x0000000000474fc0 in xlist<Job>::get_next (this=0x0) at xlist.h:67
#1  0x0000000000473b06 in Job::BuryDoneJobs (this=0x7ea890) at Job.cc:368
#2  0x000000000047743e in CmdExec::Do (this=0x7ea890) at CmdExec.cc:597
#3  0x00000000004d2297 in SMTask::ScheduleThis (this=0x7ea890) at SMTask.cc:209
#4  0x00000000004d241d in SMTask::Schedule () at SMTask.cc:248
#5  0x0000000000474687 in Job::WaitDone (this=0x7ea890) at Job.cc:557
#6  0x000000000046b870 in main (argc=1, argv=0x7fffffffe028) at lftp.cc:594

(gdb) s
xlist<Job>::get_next (this=0x0) at xlist.h:67
67     xlist<T> *get_next() const { return next; }
(gdb) print next
Cannot access memory at address 0x0
(gdb) s

Program received signal SIGSEGV, Segmentation fault.
0x0000000000474fc0 in xlist<Job>::get_next (this=0x0) at xlist.h:67
67     xlist<T> *get_next() const { return next; }
(gdb) print this
$42 = (const xlist<Job> * const) 0x0

This crash can occur on both ubuntu14.04 and ubuntu18.04 systems

[liever18]

lftp-4.9.1 and lftp-4.8.4 can also reproduce the error