dmg2img null pointer deref

Bug #1835461 reported by Andrea Fioraldi
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dmg2img (Ubuntu)
New
Undecided
Unassigned

Bug Description

Hi, I'm testing some widely used software with my fuzzer and I found this bug in dmg2img.
I can't figure out how to contact the author (http://vu1tur.eu.org/dmg2img) and the GitHub repo
seems a fork (https://github.com/Lekensteyn/dmg2img).

The bug is present in the version of dmg2img distributed with Ubuntu 18.04 (the lastest).

In the dmg2img.c file look at this snippet of code:

   char *_blkx_begin = strstr(plist, blkx_begin);
  blkx_size = strstr(_blkx_begin, list_end) - _blkx_begin;
  blkx = (char *)malloc(blkx_size + 1);
  memcpy(blkx, _blkx_begin, blkx_size);
  blkx[blkx_size] = '\0';

This lead to a null ptr deref at line 2 when the strstr at line 1 fails.

I attach a testcase that triggers the bug.

I hope I was helpful,
Goodbye.

Revision history for this message
Andrea Fioraldi (andreafioraldi) wrote :
Colin Watson (cjwatson)
affects: launchpad → dmg2img (Ubuntu)
tags: removed: dmg2img
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.