Null Pointer Dereference in processTags

[gy741]

Hello,

The str variable has a NULL value and can be executed from an if statement. (Normally, the damaged file)

So a segmentation fault occurs.

In my opinion, it seems necessary to reinforce the if statement of the processTags function.

Problem code:

liblognorm/src/v1_samp.c

Lines 520 to 542 in 1fad7c6

	static int
	processTags(ln_ctx ctx, const char *buf, es_size_t lenBuf, es_size_t *poffs, struct json_object **tagBucket)
	{
	int r = -1;
	es_str_t *str = NULL;
	es_size_t i;
	assert(poffs != NULL);
	i = *poffs;
	while(i < lenBuf && buf[i] != ':') {
	if(buf[i] == ',') {
	/* end of this tag */
	CHKR(addTagStrToBucket(ctx, str, tagBucket));
	es_deleteStr(str);
	str = NULL;
	} else {
	if(str == NULL) {
	CHKN(str = es_newStr(32));
	}
	CHKR(es_addChar(&str, buf[i]));
	}
	++i;
	}

For patch code example:

+ if(buf[i] == ',' && str != NULL) {

PoC code:

karas@sec:~/liblognorm/src$ cat poc
rule=,

gdb backtrace:

karas@sec:~/liblognorm/src$ gdb ./lognormalizer 
Starting program: /home/karas/liblognorm/src/lognormalizer -r c

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff79c73de in es_str2cstr () from /usr/lib/libestr.so.0
(gdb) bt full
#0  0x00007ffff79c73de in es_str2cstr () from /usr/lib/libestr.so.0
No symbol table info available.
#1  0x000055555556e40c in addTagStrToBucket (ctx=0x555555782260, tagname=0x0, 
    tagBucket=0x7fffffffb600) at v1_samp.c:497
        r = -1
        cstr = 0x5b0000006e <error: Cannot access memory at address 0x5b0000006e>
        tag = 0x0
#2  0x000055555556e50f in processTags (ctx=0x555555782260, buf=0x7fffffffb6c0 "rule=,", 
    lenBuf=6, poffs=0x7fffffffb5d8, tagBucket=0x7fffffffb600) at v1_samp.c:532
        r = -1
        str = 0x0
        i = 5
        __PRETTY_FUNCTION__ = "processTags"
#3  0x000055555556e69f in processRule (ctx=0x555555782260, buf=0x7fffffffb6c0 "rule=,", 
    lenBuf=6, offs=5) at v1_samp.c:577
        r = -1
        str = 0x7fffffffb6c0
        tagBucket = 0x555555783e60
#4  0x000055555556edea in ln_v1_processSamp (ctx=0x555555782260, 
    buf=0x7fffffffb6c0 "rule=,", lenBuf=6) at v1_samp.c:773
        samp = 0x0
        typeStr = 0x555555783e40
        offs = 5
#5  0x000055555556f0e1 in ln_v1_sampRead (ctx=0x555555782260, repo=0x555555782380, 
    isEof=0x7fffffffdef8) at v1_samp.c:837
        samp = 0x0
        buf = "rule=,", '\000' <repeats 1946 times>...
        i = 6
        inParser = 0
        done = 1
#6  0x000055555556a64c in ln_v1_loadSamples (ctx=0x555555782260, file=0x7fffffffe440 "c")
    at v1_liblognorm.c:94
        r = 0
        repo = 0x555555782380
        samp = 0x0
        isEof = 0
        fn_to_free = 0x555555782e10 "c"
#7  0x000055555555f161 in doOldCruft (ctx=0x555555782260, file=0x7fffffffe440 "c")
    at samp.c:1082
        r = -1
#8  0x000055555555f47d in ln_sampLoad (ctx=0x555555782260, file=0x7fffffffe440 "c")
    at samp.c:1152
        r = 1
        repo = 0x555555782380
        isEof = 0
        version = 1
#9  0x00005555555581c3 in ln_loadSamples (ctx=0x555555782260, file=0x7fffffffe440 "c")
    at liblognorm.c:167
        r = 0
        tofree = 0x555555782360 "c"
#10 0x0000555555557d0d in main (argc=3, argv=0x7fffffffe108) at lognormalizer.c:493
        opt = -1
        repository = 0x7fffffffe440 "c"
        usedRB = 1
        ret = 0
        fpStats = 0x0
        fpStatsDOT = 0x0
        extendedStats = 0

Thanks.