This potentially erroneous call to put_entries() happens only, if
a malloc at a very early stage fails. In my opinion, the call to
put_entries in pfnote() should be wrapped:
--- tree.c.ORIG 2019-11-04 09:01:30.320610560 +0100
+++ tree.c 2019-11-04 09:02:09.024609588 +0100
@@ -57,7 +57,8 @@ pfnote(char *name, int ln)
if (!(np = malloc(sizeof(NODE)))) {
warnx("too many entries to sort");
- put_entries(head);
+ if (head)
+ put_entries(head);
free_tree(head);
if (!(head = np = malloc(sizeof(NODE))))
err(1, NULL);
It's a very special case, but apparently one you have run into.
On Sun, 2019-11-03 at 23:04 -0800, Brandon Falk wrote:
> I came across a NULL dereference in ctags which is relatively simple.
>
> The `put_entries()` function does not check for `NULL` on a `node` value,
> and thus when a `malloc()` fails the first time `pfnote()` (tree.c) is
> called it is possible to `put_entries(head);`. At this point `head` is
> still `NULL` (initial state) and thus a NULL deref occurs.
>
> Just adding a `NULL` check on `node` in `put_entries()` should do the trick.
>
> Relevant code in `tree.c`
> ```
> void
> pfnote(char *name, int ln)
> {
> NODE *np;
> char *fp;
> char nbuf[1+MAXNAMLEN+1];
>
> if (!(np = malloc(sizeof(NODE)))) {
> warnx("too many entries to sort");
> put_entries(head); <--- NULL deref here
> ```
>
> Relevant code in `print.c`
> ```
> void
> put_entries(NODE *node)
> {
> if (node->left) <--- crash here on dereference
> put_entries(node->left);
> ```
>
> Stack trace:
>
> ```
> (gdb) bt
> #0 0x00000dffb208f0bd in put_entries (node=0x0) at
> /usr/src/usr.bin/ctags/print.c:95
> #1 0x00000dffb208f275 in pfnote (name=0x7f7ffffd0c60 "main", ln=3) at
> /usr/src/usr.bin/ctags/tree.c:60
> #2 0x00000dffb208c663 in c_entries () at /usr/src/usr.bin/ctags/C.c:163
> #3 0x00000dffb208d951 in main (argc=1, argv=0x7f7ffffd0d80) at
> /usr/src/usr.bin/ctags/ctags.c:139
> ```
>
> -B
