search

lewdlime / abcm2ps

abcm2ps is a command line program which converts ABC to music sheet in PostScript or SVG format. It is an extension of abc2ps which may handle many voices per staff. abcm2ps is Copyright © 2014-2016 Jean-Francois Moine.
http://moinejf.free.fr/
GNU General Public License v3.0
82 stars 31 forks source link

null pointer deference in function gchord_width() in music.c #98

Closed chibataiki closed 3 years ago

chibataiki commented 3 years ago

Hi , Null pointer deference was found in function gchord_width() in music.c.

version : 9fa642d

env: ubuntu 20.04 x86_64 gcc version 9.3.0

reproduce: ./configure make ./abcm2ps poc

null_pointer_music.c_gchord_width_880.zip

Here didn't check whether s2 is valid, add check here or the for loop above or more deeper.

debug info

─ source:music.c+880 ────
    875             for (s2 = s->ts_next; ; s2 = s2->ts_next) {
    876                 if (s2 == s->next) {
    877                     AT_LEAST(s->wr, rspc);
    878                     break;
    879                 }
 →  880                 if (s2->sflags & S_SEQST)
    881                     rspc -= 8;
    882             }
    883         }
    884         if (arspc != 0)
    885             AT_LEAST(s->wr, arspc);
── threads ────
[#0] Id 1, Name: "abcm2ps", stopped 0x55555557cbd8 in gchord_width (), reason: SIGSEGV
─── trace ────
[#0] 0x55555557cbd8 → gchord_width(s=0x55555560bd28, wlnote=8, wlw=8)
[#1] 0x555555580557 → set_width(s=0x55555560bd28)
[#2] 0x5555555809b4 → set_allsymwidth(last_s=0x0)
[#3] 0x555555583833 → output_music()
[#4] 0x55555558a177 → generate()
[#5] 0x55555558a177 → generate()
[#6] 0x55555558a5f8 → gen_ly(eob=0x0)
[#7] 0x555555590918 → do_tune()
[#8] 0x55555555eb7d → abc_eof()
[#9] 0x55555557ae6c → frontend(s=<optimized out>, ftype=<optimized out>, fname=<optimized out>, linenum=0xf)
chibataiki commented 3 years ago

Tried and fix, thanks for the work .