From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-gnulib-bounces+normalperson=yhbt.net@gnu.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN: AS22989 209.51.188.0/24
X-Spam-Status: No, score=-3.8 required=3.0 tests=AWL,BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	NICE_REPLY_A,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,
	SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham
	autolearn_force=no version=3.4.2
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by dcvr.yhbt.net (Postfix) with ESMTPS id BADC51F5AE
	for <normalperson@yhbt.net>; Fri, 18 Jun 2021 17:37:18 +0000 (UTC)
Received: from localhost ([::1]:34262 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnulib-bounces+normalperson=yhbt.net@gnu.org>)
	id 1luIQf-0000xC-LK
	for normalperson@yhbt.net; Fri, 18 Jun 2021 13:37:17 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:40728)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <bruno@clisp.org>) id 1luIQZ-0000x3-UJ
 for bug-gnulib@gnu.org; Fri, 18 Jun 2021 13:37:11 -0400
Received: from mo4-p00-ob.smtp.rzone.de ([85.215.255.22]:15242)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <bruno@clisp.org>) id 1luIQX-0006c4-HM
 for bug-gnulib@gnu.org; Fri, 18 Jun 2021 13:37:11 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1624037816;
 s=strato-dkim-0002; d=clisp.org;
 h=References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Cc:Date:
 From:Subject:Sender;
 bh=bwlwXLaKn9VOEmZlWlBd5ZS/5L2BPmqBzxz2YDvSKpg=;
 b=MfAWQvbRkWQKj9TLeMh+r8YETOBkIwIugY6dxu91tYc3+Z0GEe5cZFn6m2HJnn8Mgs
 AWE7X3vMQRAZNvULXW2TXUuFjzkQf0GfgPBbQ60voPLKy4g5JwQ9yuLriXYEsc46GMzw
 +lC9WOvAUWcqJeX4r+VBMAqGgzs4rZ2Ag8G2neblJlRuRgm6N5tyEbZu/r6YE5ivUqIc
 np+4suohaEUz9FIYDzzR3ec1RvpgsdVk5NDr6opPe11cGlRys8Vf0hyuCYMxjsGmJHSN
 0W3IPufZ+Rbh+EvGVXcaH3ZXz0boxS1McgYMGsW8YGL6YnILYCV0koVpj7by6K8UAFl1
 WiWA==
Authentication-Results: strato.com;
    dkim=none
X-RZG-AUTH: ":Ln4Re0+Ic/6oZXR1YgKryK8brlshOcZlIWs+iCP5vnk6shH+AHjwLuWOGKf9yfs="
X-RZG-CLASS-ID: mo00
Received: from bruno.haible.de by smtp.strato.de (RZmta 47.27.3 DYNA|AUTH)
 with ESMTPSA id 401b97x5IHau5sw
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (curve X9_62_prime256v1 with 256
 ECDH bits, eq. 3072 bits RSA))
 (Client did not present a certificate);
 Fri, 18 Jun 2021 19:36:56 +0200 (CEST)
From: Bruno Haible <bruno@clisp.org>
To: bug-gnulib@gnu.org
Subject: Re: [PATCH 2/3] lib/argp-help: Fix possible dereference of a NULL
 state
Date: Fri, 18 Jun 2021 19:36:55 +0200
Message-ID: <2605779.ugxd0eSEJy@omega>
User-Agent: KMail/5.1.3 (Linux/4.4.0-210-generic; KDE/5.18.0; x86_64; ; )
In-Reply-To: <85c9172a3ccf9909f244993b3b02416783880da8.1624030621.git.darren.kenny@oracle.com>
References: <cover.1624030621.git.darren.kenny@oracle.com>
 <85c9172a3ccf9909f244993b3b02416783880da8.1624030621.git.darren.kenny@oracle.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Received-SPF: none client-ip=85.215.255.22; envelope-from=bruno@clisp.org;
 helo=mo4-p00-ob.smtp.rzone.de
X-Spam_score_int: -22
X-Spam_score: -2.3
X-Spam_bar: --
X-Spam_report: (-2.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.202,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: bug-gnulib@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Gnulib discussion list <bug-gnulib.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnulib>,
 <mailto:bug-gnulib-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnulib>
List-Post: <mailto:bug-gnulib@gnu.org>
List-Help: <mailto:bug-gnulib-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnulib>,
 <mailto:bug-gnulib-request@gnu.org?subject=subscribe>
Cc: Darren Kenny <darren.kenny@oracle.com>
Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org
Sender: "bug-gnulib" <bug-gnulib-bounces+normalperson=yhbt.net@gnu.org>

Darren Kenny wrote:
> All other instances of call to __argp_failure() where there is
> a dgettext() call first check whether the valie of state is NULL
> before attempting to dereference it to get the root_argp->argp_domain.
> 
> This was originally found during a Coverity scan of GRUB2.

Thanks. I confirm that that is a possible NULL dereference here. I've
applied your patch.

The notation '(tiny change) is explained in
<https://www.gnu.org/prep/maintain/html_node/Legally-Significant.html>.


2021-06-18  Darren Kenny  <darren.kenny@oracle.com>  (tiny change)

	argp: Avoid possible NULL access in argp_help.
	Reported by Coverity. The invocation chain is:
	argp_help -> _help -> fill_in_uparams -> validate_uparams.
	* lib/argp-help.c (validate_uparams): Don't crash if state == NULL.

diff --git a/lib/argp-help.c b/lib/argp-help.c
index 4c89697..80cdb44 100644
--- a/lib/argp-help.c
+++ b/lib/argp-help.c
@@ -147,7 +147,8 @@ validate_uparams (const struct argp_state *state, struct uparams *upptr)
       if (*(int *)((char *)upptr + up->uparams_offs) >= upptr->rmargin)
         {
           __argp_failure (state, 0, 0,
-                          dgettext (state->root_argp->argp_domain,
+                          dgettext (state == NULL ? NULL
+                                    : state->root_argp->argp_domain,
                                     "\
 ARGP_HELP_FMT: %s value is less than or equal to %s"),
                           "rmargin", up->name);