search

lewdlime / abcm2ps

abcm2ps is a command line program which converts ABC to music sheet in PostScript or SVG format. It is an extension of abc2ps which may handle many voices per staff. abcm2ps is Copyright © 2014-2016 Jean-Francois Moine.
http://moinejf.free.fr/
GNU General Public License v3.0
80 stars 31 forks source link

Null pointer deference in function set_graceoffs() in music.c #94

Closed chibataiki closed 3 years ago

chibataiki commented 3 years ago

Hi , Null pointer deference was found in function set_graceoffs() in music.c.

version : b19a91d

env: ubuntu 20.04 x86_64 gcc version 9.3.0 reproduce:

./configure make ./abcm2ps poc

null_pointer_music.cset_graceoffs_760.zip

In the for loop at line 759 and the following code, didn't check the whether g is valid.

potential fix 

--- a/music.c   
+++ b/music.c
@@ -756,10 +756,15 @@
    gspinside = ((cfmt.gracespace >> 8) & 0xff) * 0.1;
    gspright = (cfmt.gracespace & 0xff) * 0.1;
    xx = 0;
-   for (g = s->extra; ; g = g->next) {
+   for (g = s->extra; g ; g = g->next) {
        if (g->type == NOTEREST)
            break;
    }
+   if(!g) {
+       error(1, NULL, "xxxxx - abort");
+       exit(EXIT_FAILURE);
+   }
+
    g->sflags |= S_BEAM_ST;
    for ( ; ; g = g->next) {
        if (g->type != NOTEREST) {

or add more check of pointer p

debug info 


── source:music.c+760 ────
    755     gspleft = (cfmt.gracespace >> 16) * 0.1;
    756     gspinside = ((cfmt.gracespace >> 8) & 0xff) * 0.1;
    757     gspright = (cfmt.gracespace & 0xff) * 0.1;
    758     xx = 0;
    759     for (g = s->extra; ; g = g->next) {
           // g=0x00007fffffffdec0  →  0x0000000000000000
 →  760         if (g->type == NOTEREST)
    761             break;
    762     }
    763     g->sflags |= S_BEAM_ST;
    764     for ( ; ; g = g->next) {
    765         if (g->type != NOTEREST) {

[#0] 0x5555555882e5 → set_graceoffs(s=0x5555556226f8)
[#1] 0x555555589be7 → set_width(s=0x5555556226f8)
[#2] 0x55555558a15b → set_allsymwidth(last_s=0x0)
[#3] 0x55555559552b → output_music()
[#4] 0x555555597aeb → generate()
[#5] 0x555555597c2e → gen_ly(eob=0x0)
[#6] 0x55555559eca1 → do_tune()
[#7] 0x55555555e4f1 → abc_eof()
[#8] 0x555555585f83 → frontend(s=0x5555555f6bcb "", ftype=0x0, fname=0x5555555fab00 "afl-collect-epsf/master:id:000678,sig:11,src:009082,time:63313349,op:havoc,rep:4", linenum=0x5)
[#9] 0x55555555c4ba → treat_file(fn=0x7fffffffe671 "afl-collect-epsf/master:id:000678,sig:11,src:009082,time:63313349,op:havoc,rep:4", ext=0x5555555ba0a6 "abc")

gef➤  p g
$4 = (struct SYMBOL *) 0x0
gef➤  p g->type
Cannot access memory at address 0x39
chibataiki commented 3 years ago

Fixed