AddressSanitizer: SEGV on unknown address 0x000000000000 at inspect.cpp:466

[0xdd96]

version: master (commit 006bbf5)
poc: poc
command: ./tester $poc$

Here is the trace reported by ASAN:

root:/path_to_libsass# ./tester poc
AddressSanitizer:DEADLYSIGNAL
=================================================================
==28897==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000b9b578 bp 0x7fffffffcc70 sp 0x7fffffffc420 T0)
==28897==The signal is caused by a READ memory access.
==28897==Hint: address points to the zero page.
    #0 0xb9b577 in Sass::Inspect::operator()(Sass::List*) /path_to_libsass/src/inspect.cpp:466:24
    #1 0xcd253c in Sass::List::perform(Sass::Operation<void>*) /path_to_libsass/src/./ast_values.hpp:76:5
    #2 0xb8ef97 in Sass::Inspect::operator()(Sass::Declaration*) /path_to_libsass/src/inspect.cpp:184:11
    #3 0xc88689 in Sass::Declaration::perform(Sass::Operation<void>*) /path_to_libsass/src/./ast.hpp:609:5
    #4 0xb77b59 in Sass::Output::operator()(Sass::StyleRule*) /path_to_libsass/src/output.cpp:172:14
    #5 0xc861c9 in Sass::StyleRule::perform(Sass::Operation<void>*) /path_to_libsass/src/./ast.hpp:538:5
    #6 0xb8927f in Sass::Inspect::operator()(Sass::Block*) /path_to_libsass/src/inspect.cpp:35:20
    #7 0x5d5049 in Sass::Block::perform(Sass::Operation<void>*) /path_to_libsass/src/./ast.hpp:510:5
    #8 0x5c09dd in Sass::Context::render(Sass::SharedImpl<Sass::Block>) /path_to_libsass/src/context.cpp:498:11
    #9 0x57496b in sass_compiler_execute /path_to_libsass/src/sass_context.cpp:455:53
    #10 0x571cd2 in sass_compile_context(Sass_Context*, Sass::Context*) /path_to_libsass/src/sass_context.cpp:320:7
    #11 0x572592 in sass_compile_file_context /path_to_libsass/src/sass_context.cpp:423:12
    #12 0x55e8e9 in compile_file /path_to_libsass/sassc/sassc.c:173:5
    #13 0x560839 in main /path_to_libsass/sassc/sassc.c:387:18
    #14 0x7ffff6a99bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #15 0x48d999 in _start (/path_to_libsass/tester+0x48d999)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /path_to_libsass/src/inspect.cpp:466:24 in Sass::Inspect::operator()(Sass::List*)
==28897==ABORTING

There are 2 elements in the list, when i is 0, list_item is assigned the first element at line 464, and its node is 0x0. The program crashed when trying to dereference the node pointer at inspect.cpp:466.

libsass/src/inspect.cpp

Lines 461 to 472 in 006bbf5

	for (size_t i = 0, L = list->size(); i < L; ++i) {
	if (list->separator() == SASS_HASH)
	{ sep[0] = i % 2 ? ':' : ','; }
	ExpressionObj list_item = list->at(i);
	if (output_style() != TO_SASS) {
	if (list_item->is_invisible()) {
	// this fixes an issue with "" in a list
	if (!Cast<String_Constant>(list_item)) {
	continue;
	}
	}
	}

pwndbg> p list->elements()
$3 = std::vector of length 2, capacity 2 = {{
    <Sass::SharedPtr> = {
      node = 0x0
    }, <No data fields>}, {
    <Sass::SharedPtr> = {
      node = 0x555555a4b7f0
    }, <No data fields>}}

pwndbg> p list_item
$4 = {
  <Sass::SharedPtr> = {
    node = 0x0
  }, <No data fields>}

I tracked the null assignment of node in listize.cpp. As shown below, when the program runs to the for loop on line 54, there is only 1 element in sel, which will be assigned to compound on line 55. By debugging we can see that there are no elements in compound, so the check on line 56 will not be satisfied, resulting in an empty l ( line 58 is not executed ). So the program will return 0 on line 66, setting node to 0 (NULL), and this element will be added to elements_ on line 31.

libsass/src/listize.cpp

Lines 47 to 70 in 006bbf5

	Expression* Listize::operator()(ComplexSelector* sel)
	{
	List_Obj l = SASS_MEMORY_NEW(List, sel->pstate());
	// ToDo: investigate what this does
	// Note: seems reated to parent ref
	l->from_selector(true);
	for (auto component : sel->elements()) {
	if (CompoundSelectorObj compound = Cast<CompoundSelector>(component)) {
	if (!compound->empty()) {
	ExpressionObj hh = compound->perform(this);
	if (hh) l->append(hh);
	}
	}
	else if (component) {
	l->append(SASS_MEMORY_NEW(String_Quoted, component->pstate(), component->to_string()));
	}
	}
	if (l->length() == 0) return 0;
	return l.detach();
	}
	}

pwndbg> p sel->elements()
$7 = std::vector of length 1, capacity 1 = {{
    <Sass::SharedPtr> = {
      node = 0x555555a3e0a0
    }, <No data fields>}}

pwndbg> p compound->elements()
$171 = std::vector of length 0, capacity 1

libsass/src/listize.cpp

Lines 25 to 35 in 006bbf5

	Expression* Listize::operator()(SelectorList* sel)
	{
	List_Obj l = SASS_MEMORY_NEW(List, sel->pstate(), sel->length(), SASS_COMMA);
	l->from_selector(true);
	for (size_t i = 0, L = sel->length(); i < L; ++i) {
	if (!sel->at(i)) continue;
	l->append(sel->at(i)->perform(this));
	}
	if (l->length()) return l.detach();
	return SASS_MEMORY_NEW(Null, l->pstate());
	}

Possible fix: check for null node pointer before inspect.cpp:466.

[0xdd96]

Note: This issue is similar to #3168, hope my analysis will help.

[mgreter]

Addressed via #3184