Security Vulnerability - Action Required: NULL Pointer Dereference may in your project

[Crispy-fried-chicken]

Hi, we have detected that your project may be vulnerable to NULL Pointer Dereference in the function of file_basename in the file of htmldoc/file.c . It shares similarities to a recent CVE disclosure CVE-2021-23180 in the htmldoc.

The source vulnerability information is as follows:

Vulnerability Detail: CVE Identifier: CVE-2021-23180 Description: A flaw was found in htmldoc in v1.9.12 and before. Null pointer dereference in file_extension(),in file.c may lead to execute arbitrary code and denial of service. Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-23180 Patch: https://github.com/michaelrsweet/htmldoc/commit/19c582fb32eac74b57e155cffbb529377a9e751a

Would you help to check if this bug is true? If it's true, I'd like to open a PR for that if necessary. Thank you for your effort and patience!

[michaelrsweet]

Looks like the same issue could happen here...

[michaelrsweet]

[master 6fb16b8] Update file_basename implementation to handle really long filenames (Issue #532)

[Crispy-fried-chicken]

@michaelrsweet is there any need to request a CVEID because of the high priority here?

[michaelrsweet]

I really don’t think so. We really didn’t need one for the other bug, and it isn’t like you could do anything besides crash the program.

[Crispy-fried-chicken]

But crashing the program itself is a consequence, so don’t we need to inform users by applying for CVEID?

[michaelrsweet]

Crash != CVE