Public bug reported:
Hello,
Below is some description about crash, found by dynamic analysis tool Sydr
(part of Crusher system) https://www.ispras.ru/en/technologies/sydr/ developed
in ISP RAS
System Ubuntu 20.04.2 LTS.
Package: libhdf4_4.2.14-1ubuntu1.debian.tar.xz
Crash description:
(gdb) r
Starting program:
/home/fedotoff/hdp-test/hdp-crash/libhdf4-4.2.14/install/bin/hdp dumpsds
./segfault26.hdf
Program received signal SIGSEGV, Segmentation fault.
0x0000000000471e18 in Hendaccess (access_id=268435457) at hfile.c:1695
1695 ret_value = (*access_rec->special_func->endaccess) (access_rec);
(gdb) bt
#0 0x0000000000471e18 in Hendaccess (access_id=268435457) at hfile.c:1695
#1 0x00000000004aacdf in Load_vfile (f=536870912) at vgp.c:440
#2 0x00000000004aa7ed in Vinitialize (f=536870912) at vgp.c:743
#3 0x000000000041d16e in NC_new_cdf (name=0x7fffffffd5a0 "./segfault26.hdf",
mode=0) at cdf.c:452
#4 0x00000000004233d6 in NC_open (path=0x7fffffffd5a0 "./segfault26.hdf",
mode=0) at file.c:307
#5 0x000000000042353e in ncopen (path=0x7fffffffd5a0 "./segfault26.hdf",
mode=0) at file.c:362
#6 0x0000000000429b00 in SDstart (name=0x7fffffffd5a0 "./segfault26.hdf",
HDFmode=1) at mfsd.c:378
#7 0x0000000000410cc7 in dsd (dumpsds_opts=0x7fffffffd700, curr_arg=3, argc=3,
argv=0x7fffffffdb08) at hdp_sds.c:1218
#8 0x00000000004116d7 in do_dumpsds (curr_arg=2, argc=3, argv=0x7fffffffdb08,
help=0) at hdp_sds.c:1454
#9 0x0000000000402950 in main (argc=3, argv=0x7fffffffdb08) at hdp.c:146
(gdb) p/x acce
accept accept4 access acc...@got.plt access@plt
access_id access_rec access_type
(gdb) p/x access_rec->special_func
$1 = 0x0
Here the null pointer is dereferenced due to function call.
I think, the problem is because in function HIget_function_table from file
hfile.c we do the assignment:
2615 access_rec->special=(intn)spec_code;
There is no assignment in cycle, so function return Null.
for (i = 0; functab[i].key != 0; i++)
{
if (access_rec->special == functab[i].key)
{
ret_value = functab[i].tab;
break; /* break out of loop */
}
}
done:
if(ret_value == NULL)
{ /* Error condition cleanup */
} /* end if */
/* Normal function cleanup */
return ret_value;
The Idea of Fix is to place assignment at line 2615 before "break"
statement.
** Affects: libhdf4 (Ubuntu)
Importance: Undecided
Status: New
** Attachment added: "input to reproduce"
https://bugs.launchpad.net/bugs/1915407/+attachment/5462697/+files/segfault26.hdf
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1915407
Title:
Hdp from hdf4-tools crashes on function null pointer dereference
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libhdf4/+bug/1915407/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
