Passing xref URIs by the command line triggers a NULL dereference
Issue
Invoking yelp with an xref:
URI triggers a NULL dereference due to yelp_uri_get_document_uri()
returning a NULL pointer.
So any of the following will trigger the issue:
$ yelp xref:
$ yelp xref:AAAAAAA
$ yelp xref:index
I've tested the following versions:
- Git Revision 400fa796 on Ubuntu 21.04
- Default version (40.stable-1) included with Ubuntu 21.04
- Default version (3.26.0-1ubuntu2) included with Ubuntu 18.04
- Default version included with Fedora 34
Backtrace
[#0] 0x7ffff1d991b4 → g_str_hash()
[#1] 0x7ffff1d99ff0 → g_hash_table_lookup()
[#2] 0x55555555c8b3 → application_get_doc_settings(app=0x5555555bb140, doc_uri=0x0)
[#3] 0x55555555c4b0 → application_uri_resolved(uri=0x55555591cee0, data=0x5555558427b0)
[#4] 0x7ffff1eaabcf → g_closure_invoke()
[#5] 0x7ffff1ed481b → mov rax, QWORD PTR [rsp+0x28]
[#6] 0x7ffff1ec8638 → g_signal_emit_valist()
[#7] 0x7ffff1ec8893 → g_signal_emit()
[#8] 0x7ffff7f6f25c → mov rdi, rbp
[#9] 0x7ffff1db67ef → g_main_context_dispatch()
Details
Relevant files:
- src/yelp-application.c
- libyelp/yelp-uri.c
application_uri_resolved()
gets called with a user provided URL, which eventually gets passed to yelp_uri_get_document_uri()
, which has it's result used by application_get_doc_settings()
.
yelp_uri_get_document_uri()
can return NULL if it's doctype is unresolved, which is this case, which gets propagated down to a call of g_str_hash()
which can't handle it.
Other Relevant Bugs
-
#169 Also hits
yelp_uri_get_document_uri()
but it dies there instead of further down the line. Believe these are different bugs however.