search

lewdlime / abcm2ps

abcm2ps is a command line program which converts ABC to music sheet in PostScript or SVG format. It is an extension of abc2ps which may handle many voices per staff. abcm2ps is Copyright © 2014-2016 Jean-Francois Moine.
http://moinejf.free.fr/
GNU General Public License v3.0
82 stars 31 forks source link

Improper null termination in function draw_hl() in draw.c #96

Closed chibataiki closed 3 years ago

chibataiki commented 3 years ago

Hi ,

Improper null termination happened while running strlen() on a NULL pointer.

version : 9fa642d

env: ubuntu 20.04 x86_64 gcc version 9.3.0

reproduce: ./configure make ./abcm2ps poc null_pointer_draw.c_draw_hl_999.zip

Here can add check on draw_hl() or location which call draw_hl(),ensure the value is valid.

debug info:

─── trace ────
[#0] 0x7ffff7b3f675 → __strlen_avx2()
[#1] 0x555555572645 → draw_hl(x=35, staffb=-47, up=0x0, y=0xffffffaf, stafflines=0x0, hltype=0x5555555bd3c1 "hl")
[#2] 0x555555572d54 → draw_keysig(p_voice=0x5555555e7e20 <voice_tb+512>, x=35, s=0x555555612870)
[#3] 0x55555557ee24 → draw_symbols(p_voice=0x5555555e7e20 <voice_tb+512>)
[#4] 0x55555557f035 → draw_all_symb()
[#5] 0x555555595690 → output_music()
[#6] 0x555555597b42 → generate()
[#7] 0x555555597c85 → gen_ly(eob=0x0)
[#8] 0x55555559ed75 → do_tune()
[#9] 0x55555555e4f1 → abc_eof()
─ threads ────
[#0] Id 1, Name: "abcm2ps", stopped 0x7ffff7b3f675 in __strlen_avx2 (), reason: SIGSEGV
────────
gef➤  up
#1  0x0000555555572645 in draw_hl (x=35, staffb=-47, up=0x0, y=0xffffffaf, stafflines=0x0, hltype=0x5555555bd3c1 "hl") at draw.c:999
999     l = strlen(stafflines);
gef➤  p stafflines
$1 = 0x0
chibataiki commented 3 years ago

Tried, thank you for the fix!