New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A crash in the Selector_List::populate_extends function in both version 3.5.5 and the latest code #2779
Labels
Comments
glebm
added a commit
to glebm/sass-spec
that referenced
this issue
Dec 2, 2018
glebm
added a commit
to glebm/libsass
that referenced
this issue
Dec 2, 2018
|
Assigned CVE-2018-19797 |
glebm
added a commit
to glebm/libsass
that referenced
this issue
Dec 6, 2018
glebm
added a commit
to glebm/libsass
that referenced
this issue
Dec 9, 2018
glebm
added a commit
to glebm/sass-spec
that referenced
this issue
Dec 9, 2018
glebm
added a commit
to glebm/libsass
that referenced
this issue
Dec 9, 2018
xzyfer
pushed a commit
that referenced
this issue
Dec 9, 2018
xzyfer
pushed a commit
to sass/sass-spec
that referenced
this issue
Dec 9, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I found a crash by fuzzing libsass&sassc. It can be reproduced both in version 3.5.5 and the master branch (accessed on 2018/11/27) code. Run sassc (built with ASan) with a special file sass_id01 (https://github.com/zyingp/temp/blob/master/sass_id01).
./sassc/bin/sassc sass_id01The outputs are as follows:
I found the cause is that in the
populate_extendsfunction in ast.cpp (the function was moved to ast_selectors.cpp several days ago), thepItervariable is NULL when coming to the crashing line (noted below). Adding a null check onpIterindeed could fix the problem but not sure whether there are better ways.The text was updated successfully, but these errors were encountered: