Null pointer dereference in regcomp via ucl_schema_test_pattern #324
Description
Environment
- libucl version: Latest commit 3e7f023
- System: Ubuntu 22.04.5 LTS (Jammy)
Kernel/Release: 22.04
Bug Reproduction
Below is the driver code main.c:
#include <ucl.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <stdio.h>
static void test(const uint8_t *data, size_t size)
{
struct ucl_parser *p = ucl_parser_new(UCL_PARSER_NO_TIME);
if (!p) return;
if (!ucl_parser_add_chunk(p, (const char *)data, size)) {
ucl_parser_free(p);
return;
}
ucl_object_t *obj = ucl_parser_get_object(p);
if (!obj) { ucl_parser_free(p); return; }
unsigned char *json = ucl_object_emit(obj, UCL_EMIT_JSON_COMPACT);
free(json);
ucl_object_iter_t it = NULL;
const ucl_object_t *cur;
while ((cur = ucl_iterate_object(obj, &it, true)) != NULL) {
(void)ucl_object_tostring(cur);
(void)ucl_object_toint(cur);
}
(void)ucl_object_validate(obj, obj, NULL);
ucl_object_unref(obj);
ucl_parser_free(p);
}
int main(int argc, char **argv)
{
if (argc == 2) {
FILE *fp = fopen(argv[1], "rb");
if (!fp) return 0;
fseek(fp, 0, SEEK_END);
long sz = ftell(fp);
fseek(fp, 0, SEEK_SET);
uint8_t *buf = malloc(sz);
fread(buf, 1, sz, fp);
fclose(fp);
test(buf, (size_t)sz);
free(buf);
}
return 0;
}Build and Reproduce
cd libucl
mkdir build && cd build
cmake .. \
-DCMAKE_C_COMPILER=clang \
-DCMAKE_C_FLAGS="-g -O1 -fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all" \
-DENABLE_LUA=OFF \
-DBUILD_SHARED_LIBS=OFF
mkdir ../../test && cd ../../test
clang -fsanitize=address,undefined -g -O1 -I../libucl/include main.c ../libucl/build/libucl.a -o test_driver
./test_driver poc4.txtASAN Output
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3338431==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x14b816a6097a bp 0x7ffe594c5e00 sp 0x7ffe594c5498 T0)
==3338431==The signal is caused by a READ memory access.
==3338431==Hint: address points to the zero page.
#0 0x14b816a6097a string/../sysdeps/x86_64/multiarch/strlen-vec.S:126
#1 0x14b816aabf54 in regcomp posix/./posix/regcomp.c:491:9
#2 0x565212c007f7 in regcomp (/root/softRequire/libucl/fuzz/fuzz_ucl+0xf07f7) (BuildId: dc6bbb4f4a54293f6540e61ca092380c71b56ec9)
#3 0x565212d39dfc in ucl_schema_test_pattern /root/softRequire/libucl/libucl/src/ucl_schema.c:90:6
#4 0x565212d39dfc in ucl_schema_validate_object /root/softRequire/libucl/libucl/src/ucl_schema.c:229:14
#5 0x565212d37e1a in ucl_schema_validate /root/softRequire/libucl/libucl/src/ucl_schema.c:1049:10
#6 0x565212d3657d in ucl_schema_validate /root/softRequire/libucl/libucl/src/ucl_schema.c:955:9
#7 0x565212d35912 in ucl_object_validate_root_ext /root/softRequire/libucl/libucl/src/ucl_schema.c:1098:8
#8 0x565212d35912 in ucl_object_validate /root/softRequire/libucl/libucl/src/ucl_schema.c:1072:9
#9 0x565212c5e8cc in fuzz_one /root/softRequire/libucl/test/harness.c:40:11
#10 0x565212c5e8cc in main /root/softRequire/libucl/test/harness.c:68:9
#11 0x14b8169cfd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#12 0x14b8169cfe3f in __libc_start_main csu/../csu/libc-start.c:392:3
#13 0x565212ba0a04 in _start (/root/softRequire/libucl/fuzz/fuzz_ucl+0x90a04) (BuildId: dc6bbb4f4a54293f6540e61ca092380c71b56ec9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV string/../sysdeps/x86_64/multiarch/strlen-vec.S:126
==3338431==ABORTING
Copyright
© 2025 sdjasj. All rights reserved.
This reproduction code and PoC are provided solely to demonstrate the bug.