From 74396a61c8c6f2622ff4f575ed8613fd0a60131b Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Jul 25 2017 19:18:55 +0000 Subject: INI: Fix ini_config parsing SEGVs When a config file has a conflict between a section name and a key name, ini_parse can create malformed collections, leading to a segfault. There are three cases where this occurs: 1. Inside a section, between the section name and the key name 2. Between a default-section key and a section name 3. Between a section name and a key in a different section Case 1 leads to a segfault only when retrieving the attribute from a value_obj, as the value_obj returned is incorrectly cast from the section. Case 2 and 3 segfaults during parsing, when it attempts to merge the section and the key. Signed-off-by: Alexander Scheel Reviewed-by: Michal Židek --- diff --git a/ini/ini_get_valueobj.c b/ini/ini_get_valueobj.c index 0f30fcf..ff11a70 100644 --- a/ini/ini_get_valueobj.c +++ b/ini/ini_get_valueobj.c @@ -225,6 +225,7 @@ int ini_get_config_valueobj(const char *section, } if ((hash == col_get_item_hash(item)) && + (col_get_item_type(item) == COL_TYPE_BINARY) && (strncasecmp(col_get_item_property(item, &len), name, name_len) == 0) && (len == name_len)) { TRACE_INFO_STRING("Item is found", name); diff --git a/ini/ini_parse.c b/ini/ini_parse.c index e5baeca..018477c 100644 --- a/ini/ini_parse.c +++ b/ini/ini_parse.c @@ -391,7 +391,7 @@ static int check_section_collision(struct parser_obj *po) error = col_get_item(po->top, col_get_item_property(po->sec, NULL), - COL_TYPE_ANY, + COL_TYPE_COLLECTIONREF, COL_TRAVERSE_DEFAULT, &item);