search

lewdlime / abcm2ps

abcm2ps is a command line program which converts ABC to music sheet in PostScript or SVG format. It is an extension of abc2ps which may handle many voices per staff. abcm2ps is Copyright © 2014-2016 Jean-Francois Moine.
http://moinejf.free.fr/
GNU General Public License v3.0
82 stars 31 forks source link

Null pointer deference in function draw_tuplet() in draw.c #97

Closed chibataiki closed 3 years ago

chibataiki commented 3 years ago

Hi , Null pointer deference was found in function draw_tuplet() in draw.c.

version : 9fa642d

env: ubuntu 20.04 x86_64 gcc version 9.3.0

reproduce: ./configure make ./abcm2ps poc null_pointer_draw.c_draw_tuplet_2711.zip

debug info

─ source:draw.c+2711 ────
   2706             if (ym < yy)
   2707                 b += ym - yy;
   2708             b -= 10;
   2709         }
   2710         for (sy = s1; ; sy = sy->next) {
            // sy=0x00007fffffffdfd8  →  0x0000000000000000
 → 2711             if (sy->x >= xm)
   2712                 break;
   2713         }
   2714         if (s1->stem * s2->stem > 0) {
   2715             if (s1->stem > 0)
   2716                 xm += GSTEM_XOFF;

── threads ────
[#0] Id 1, Name: "abcm2ps", stopped 0x555555577af6 in draw_tuplet (), reason: SIGSEGV
── trace ──
#0] 0x555555577af6 → draw_tuplet(t=0x55555562cae0, s=0x55555562cd30)
[#1] 0x55555557cb55 → draw_sym_near()
[#2] 0x555555595481 → delayed_output(indent=0)
[#3] 0x555555595684 → output_music()
[#4] 0x555555597b42 → generate()
[#5] 0x555555597c85 → gen_ly(eob=0x0)
[#6] 0x55555559ed75 → do_tune()
[#7] 0x55555555e4f1 → abc_eof()
[#8] 0x555555585fba → frontend()
[#9] 0x55555555c4ba → treat_file()
chibataiki commented 3 years ago

Tried, thanks for the fix.