Condition checking by comparing an uninitialized variable with a constant

[1ndahous3]

Inside the Linux implementation of yr_process_get_next_memory_block() variable int n is declared before using fgets(), but the initial variable is only assigned if successful before sscanf().

yara/libyara/proc/linux.c

Lines 325 to 355 in 9ab96d1

	if (proc_info->next_block_end <= current_begin)
	{
	int n, path_start;
	char *p;
	while (fgets(buffer, sizeof(buffer), proc_info->maps) != NULL)
	{
	// locate the '\n' character
	p = strrchr(buffer, '\n');
	// If we haven't read the whole line, skip over the rest.
	if (p == NULL)
	{
	int c;
	do
	{
	c = fgetc(proc_info->maps);
	} while (c >= 0 && c != '\n');
	}
	// otherwise remove '\n' at the end of the line
	else
	{
	*p = '\0';
	}
	// Each row in /proc/$PID/maps describes a region of contiguous virtual
	// memory in a process or thread. Each row has the following fields:
	//
	// address perms offset dev inode pathname
	// 08048000-08056000 r-xp 00000000 03:0c 64593 /usr/sbin/gpm
	//
	n = sscanf(

n is checked even if fgets() returns NULL, so we get UB:

yara/libyara/proc/linux.c

Lines 384 to 393 in 9ab96d1

	if (n == 7)
	{
	current_begin = begin;
	proc_info->next_block_end = end;
	}
	else
	{
	YR_DEBUG_FPRINTF(2, stderr, "+ %s() = NULL\n", __FUNCTION__);
	return NULL;
	}