Commit 839085f8 authored by Stephen C. North's avatar Stephen C. North 🙀
Browse files

attempted fix for null pointer deference on malformed input

parent d23153a7
......@@ -468,8 +468,10 @@ startElementHandler(void *userData, const char *name, const char **atts)
if (pos > 0) {
const char *attrname;
attrname = atts[pos];
bind_node(attrname);
if (G == 0)
fprintf(stderr,"node %s outside graph, ignored\n",attrname);
else
bind_node(attrname);
pushString(&ud->elements, attrname);
}
......@@ -495,21 +497,25 @@ startElementHandler(void *userData, const char *name, const char **atts)
if (tname)
head = tname;
bind_edge(tail, head);
if (G == 0)
fprintf(stderr,"edge source %s target %s outside graph, ignored\n",(char*)tail,(char*)head);
else {
bind_edge(tail, head);
t = AGTAIL(E);
tname = agnameof(t);
t = AGTAIL(E);
tname = agnameof(t);
if (strcmp(tname, tail) == 0) {
ud->edgeinverted = FALSE;
} else if (strcmp(tname, head) == 0) {
ud->edgeinverted = TRUE;
}
if (strcmp(tname, tail) == 0) {
ud->edgeinverted = FALSE;
} else if (strcmp(tname, head) == 0) {
ud->edgeinverted = TRUE;
}
pos = get_xml_attr("id", atts);
if (pos > 0) {
setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud);
}
pos = get_xml_attr("id", atts);
if (pos > 0) {
setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud);
}
}
} else {
/* must be some extension */
fprintf(stderr,
......@@ -530,7 +536,7 @@ static void endElementHandler(void *userData, const char *name)
char *ele_name = topString(ud->elements);
if (ud->closedElementType == TAG_GRAPH) {
Agnode_t *node = agnode(root, ele_name, 0);
agdelete(root, node);
if (node) agdelete(root, node);
}
popString(&ud->elements);
Current_class = TAG_GRAPH;
......
......@@ -22,6 +22,7 @@ extern void yyerror(char *); /* gets mapped to aagerror, see below */
#endif
static char Key[] = "key";
static int SubgraphDepth = 0;
typedef union s { /* possible items in generic list */
Agnode_t *n;
......@@ -542,6 +543,7 @@ static void startgraph(char *name, int directed, int strict)
static Agdesc_t req; /* get rid of warnings */
if (G == NILgraph) {
SubgraphDepth = 0;
req.directed = directed;
req.strict = strict;
req.maingraph = TRUE;
......@@ -562,6 +564,11 @@ static void endgraph()
static void opensubg(char *name)
{
if (++SubgraphDepth >= YYMAXDEPTH/2) {
char buf[128];
sprintf(buf,"subgraphs nested more than %d deep",YYMAXDEPTH);
agerr(AGERR,buf);
}
S = push(S,agsubg(S->g,name,TRUE));
agstrfree(G,name);
}
......@@ -569,6 +576,7 @@ static void opensubg(char *name)
static void closesubg()
{
Agraph_t *subg = S->g;
--SubgraphDepth;
S = pop(S);
S->subg = subg;
assert(subg);
......
......@@ -168,6 +168,8 @@ void agdelcb(Agraph_t * g, void *obj, Agcbstack_t * cbstack)
Agraph_t *agroot(void* obj)
{
// fixes CVE-2019-11023 by moving the problem to the caller :-)
if (obj == 0) return NILgraph;
switch (AGTYPE(obj)) {
case AGINEDGE:
case AGOUTEDGE:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment