Join GitHub today
null pointer dereference in stackswap #78
On libming latest version, a null pointer dereference read was found in function stackswap .
testcase : https://github.com/bestshow/p0cs/blob/master/null-ptr-in_stackswap
Well, it looks like several things are going wrong here.
First, we are building libming in
This debug variable is the only element in the stack so when we do
Obvious fix: Add checks to avoid dereferencing
Less obvious question: Why is the stack NULL ?
I see two possibilities:
In both cases, we should probably reject files leading to NULL stacks. It is dangerous and IMO useless to process further because the result is going to be garbage anyways.
Possible additional fix: Build without
(It should work because, well,
I have just written a potential fix. This fix only addresses the null pointer dereference issue.
In fact the reproducer seems to also trigger various memory leaks similar to #72, which I'm currently investigating.