zaver icon indicating copy to clipboard operation
zaver copied to clipboard
verified publisher icon zyearn

Fix the null reference vulnerability.

Open QiuYitai opened this issue 8 months ago • 0 comments

Hello, Our team has recently been conducting research on a null-pointer-dereference (NPD) vulnerability detection tool and used it to scan zaver(the version on the master branch). After a manual review, we have identified some potentially vulnerable code snippets that may lead to null-pointer-dereference bugs. The NULL Dereference vulnerability happens in int threadpool_free(), threadpool.c How the NULL Pointer Dereference happens:

  1. When pool->head == NULL
  2. NULL dereference of variable pool->head happens at pool->head->next
static inline void Abc_NtkFinSimOneWord( Abc_Obj_t * pObj, int Type, Vec_Wrd_t * vSims, int nWords )
{
=>  if ((pool->threads == NULL) || (pool->head == NULL)) {
=>      goto err;
    }
    ......
err:
    if (pool) {
=>      threadpool_free(pool);
    }
    return NULL;
 }
 
 int threadpool_free(zv_threadpool_t *pool) {
     ......
=>   while (pool->head->next) {
         ......
     }
     ......
 }

QiuYitai avatar Apr 15 '25 08:04 QiuYitai