Null Pointer Dereference #53
Description
Summary
An issue was discovered in FlightCrew v0.9.2 and earlier. A NULL pointer dereference occurs in GetRelativePathToNcx() when a null pointer is passed to xc::XMLUri::isValidURI().
Details
If the package.opf contains <item> elements without "href" attributes, then the variable "href" is set to an empty string on ValidateEpub.cpp:118. On ValidateEpub.cpp:121, "toX(href)" is called which returns a NULL pointer if href is empty. This pointer is then passed to xc::XMLUri::isValidURI() which dereferences it, causing a segmentation fault.
In the attached null_ptr.zip, you'll see that the href attributes in EPUB/package.opf have been replaced by the attribute "malformed".
Impact
This vulnerability has very little security impact for Sigil users, but may be used as a Denial of Service attack against third-party software that uses FlightCrew as a library.
Steps to reproduce
- Download the attached "null_ptr.zip"
- On a linux system, process "null_ptr.zip" using flightcrew-cli.
flightcrew-cli --input-file null_ptr.zip
At this point, flightcrew-cli will segfault.