Public bug reported: Hello, Below is some description about crash, found by dynamic analysis tool Sydr (part of Crusher system) https://www.ispras.ru/en/technologies/sydr/ developed in ISP RAS
System Ubuntu 20.04.2 LTS. Package: libhdf4_4.2.14-1ubuntu1.debian.tar.xz Crash description: (gdb) r Starting program: /home/fedotoff/hdp-test/hdp-crash/libhdf4-4.2.14/install/bin/hdp dumpsds ./segfault26.hdf Program received signal SIGSEGV, Segmentation fault. 0x0000000000471e18 in Hendaccess (access_id=268435457) at hfile.c:1695 1695 ret_value = (*access_rec->special_func->endaccess) (access_rec); (gdb) bt #0 0x0000000000471e18 in Hendaccess (access_id=268435457) at hfile.c:1695 #1 0x00000000004aacdf in Load_vfile (f=536870912) at vgp.c:440 #2 0x00000000004aa7ed in Vinitialize (f=536870912) at vgp.c:743 #3 0x000000000041d16e in NC_new_cdf (name=0x7fffffffd5a0 "./segfault26.hdf", mode=0) at cdf.c:452 #4 0x00000000004233d6 in NC_open (path=0x7fffffffd5a0 "./segfault26.hdf", mode=0) at file.c:307 #5 0x000000000042353e in ncopen (path=0x7fffffffd5a0 "./segfault26.hdf", mode=0) at file.c:362 #6 0x0000000000429b00 in SDstart (name=0x7fffffffd5a0 "./segfault26.hdf", HDFmode=1) at mfsd.c:378 #7 0x0000000000410cc7 in dsd (dumpsds_opts=0x7fffffffd700, curr_arg=3, argc=3, argv=0x7fffffffdb08) at hdp_sds.c:1218 #8 0x00000000004116d7 in do_dumpsds (curr_arg=2, argc=3, argv=0x7fffffffdb08, help=0) at hdp_sds.c:1454 #9 0x0000000000402950 in main (argc=3, argv=0x7fffffffdb08) at hdp.c:146 (gdb) p/x acce accept accept4 access acc...@got.plt access@plt access_id access_rec access_type (gdb) p/x access_rec->special_func $1 = 0x0 Here the null pointer is dereferenced due to function call. I think, the problem is because in function HIget_function_table from file hfile.c we do the assignment: 2615 access_rec->special=(intn)spec_code; There is no assignment in cycle, so function return Null. for (i = 0; functab[i].key != 0; i++) { if (access_rec->special == functab[i].key) { ret_value = functab[i].tab; break; /* break out of loop */ } } done: if(ret_value == NULL) { /* Error condition cleanup */ } /* end if */ /* Normal function cleanup */ return ret_value; The Idea of Fix is to place assignment at line 2615 before "break" statement. ** Affects: libhdf4 (Ubuntu) Importance: Undecided Status: New ** Attachment added: "input to reproduce" https://bugs.launchpad.net/bugs/1915407/+attachment/5462697/+files/segfault26.hdf -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1915407 Title: Hdp from hdf4-tools crashes on function null pointer dereference To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libhdf4/+bug/1915407/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs