Null pointer dereference in index.c in bfabiszewski/libmobi


Reported on

May 25th 2022


Null pointer dereference in bfabiszewski/libmobi at index.c:1076.


export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"

./configure --disable-shared



./mobitool -e -o /tmp/mobi POC



==1984==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x0000005b0416 bp 0x000000000032 sp 0x7ffdcdca6740 T0)
==1984==The signal is caused by a READ memory access.
==1984==Hint: address points to the zero page.
    #0 0x5b0416  (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x5b0416)
    #1 0x50440a  (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x50440a)
    #2 0x507594  (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x507594)
    #3 0x50bbf8  (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x50bbf8)
    #4 0x4d115b  (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x4d115b)
    #5 0x7f021bb570b2  (/lib/x86_64-linux-gnu/
    #6 0x41d56d  (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x41d56d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/src/cmdline-fuzz/exprs/libmobi-0.10/mobitool+0x5b0416)

(gdb) bt
#0  mobi_trie_insert_infl (root=<optimized out>, indx=<optimized out>, i=<optimized out>) at index.c:1076
#1  0x000000000050440b in mobi_reconstruct_orth (rawml=<optimized out>, first=<optimized out>,
    new_size=<optimized out>) at parse_rawml.c:1537
#2  0x0000000000507595 in mobi_reconstruct_links_kf7 (rawml=<optimized out>) at parse_rawml.c:1805
#3  0x000000000050bbf9 in mobi_reconstruct_links (rawml=0x6080000000a0) at parse_rawml.c:1854
#4  mobi_parse_rawml_opt (rawml=<optimized out>, m=<optimized out>, parse_toc=<optimized out>,
    parse_dict=<optimized out>, reconstruct=<optimized out>) at parse_rawml.c:2158
#5  0x000000000050a203 in mobi_parse_rawml (rawml=0x8, m=0x608000000720) at parse_rawml.c:2014
#6  0x00000000004d115c in loadfilename (
    fullpath=0x7fffffffcfa0 "bba38746-3855-4bf5-ad06-a7bef4d406a3/master/crashes/id:000002,sig:11,src:000786+000699,time:82592580,execs:8346508,op:splice,rep:8") at mobitool.c:852
#7  main (argc=<optimized out>, argv=<optimized out>) at mobitool.c:1051

(gdb) list 1076
1071            MOBIIndexTag t = e.tags[j];
1072            if (t.tagid == INDX_TAGARR_INFL_PARTS_V1) {
1073                for (size_t k = 0; k + 1 < t.tagvalues_count; k += 2) {
1074                    uint32_t len = t.tagvalues[k];
1075                    uint32_t offset = t.tagvalues[k + 1];
1076                    char *base = mobi_get_cncx_string_flat(indx->cncx_record, offset, len);
1077                    if (base == NULL) {
1078                        return MOBI_MALLOC_FAILED;
1079                    }
1080                    MOBI_RET ret = mobi_trie_insert_reversed(root, base, inflected);


can cause a program to crash, use unexpected values, or remote code execution.


We are processing your report and will contact the bfabiszewski/libmobi team within 24 hours. 2 years ago
We have contacted a member of the bfabiszewski/libmobi team and are waiting to hear back 2 years ago
2 years ago


Hi, thanks for the report! There really seems to be bug here but I am getting different results than yours. Could you tell me which exact variable is null in your test?

2 years ago


Hi, I have a quick investigation and it seems "indx->cncx_record" is 0 and then causes the null pointer dereference at line 933.

2 years ago


OK. Thanks! That's correct. I just wondered why your sanitizer shows problem on line 1076. I thought that maybe in your case indx is null.

Bartek Fabiszewski modified the Severity from High to Low 2 years ago
2 years ago


I lowered severity, as I don't see a possibility to use this vulnerability for remote code execution or using unexpected values. The only scenario is segmentation fault and denial of service. Also attacker must deceive user to load crafted data.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Bartek Fabiszewski validated this vulnerability 2 years ago
Xiaohan has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bartek Fabiszewski marked this as fixed in 0.11 with commit 1e4924 2 years ago
Bartek Fabiszewski has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation