Hi. I was reading the code of wordsplit.c and find something that looks
like a null pointer dereference vulnerability. Could you check?
Cheers
static int
coalesce_segment (struct wordsplit *wsp, struct wordsplit_node *node)
{
struct wordsplit_node *p, *end;
size_t len = 0;
char *buf, *cur;
for (p = node; p->flags & _WSNF_JOIN; )
len += wsnode_len (p);
// Value assigned to field 'next'
p = p->next;
if (!p)
// Assuming 'p' is null
break;
if (p == node)
end = p;
buf = malloc (len + 1);
if (!buf)
// Assuming 'buf' is non-null
cur = buf;
p = node;
for (;;)
struct wordsplit_node *next = p->next;
// 'next' initialized to a null pointer value
// Access to field 'next' results in a dereference of a null pointer
(loaded from variable 'p')
const char *str = wsnode_ptr (wsp, p);
size_t slen = wsnode_len (p);
memcpy (cur, str, slen);
cur += slen;
if (p != node)
