[BUG] Null pointer dereference in fileutil.c:75, catdoc

[kdsjZh]

Brief Summary

Hello, I was testing my fuzzer and found a null pointer dereference bug in catdoc. A null pointer dereference in function find_file will be triggered when parsing a crafted doc file, when running ./catdoc $POC, as shown in the attachment

Environment

Ubuntu 18.04
clang 12.0.1
catdoc latest version

step to reproduce

export CC="clang -fsanitize=address -g"
./configure --disable-shared && make -j8
./src/catdoc $POC

ASAN output

=================================================================
==352068==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f87b0d7ce78 bp 0x7fff790da7f0 sp 0x7fff790d9f88 T0)
==352068==The signal is caused by a READ memory access.
==352068==Hint: address points to the zero page.
    #0 0x7f87b0d7ce78  /build/glibc-CVJwZb/glibc-2.27/string/../sysdeps/x86_64/multiarch/strchr-avx2.S:57
    #1 0x43979c in __interceptor_strchr.part.39 /llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:688
    #2 0x4fbb80 in find_file /latest/catdoc/src/fileutil.c:75:5
    #3 0x4f3c50 in main /latest/catdoc/src/catdoc.c:50:11
    #4 0x7f87b0c10c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41baa9 in _start (/latest/catdoc/src/catdoc+0x41baa9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-CVJwZb/glibc-2.27/string/../sysdeps/x86_64/multiarch/strchr-avx2.S:57
==352068==ABORTING

Root cause

in file https://github.com/petewarden/catdoc/blob/master/src/fileutil.c#L75

q=strchr(p,LIST_SEP);

The p is not verified and can be modified to NULL with a crafted doc file.

POC

poc0.zip

Credit

Han Zheng(NCNIPC of China, Hexhive)
Yin Li, Xiaotong Jiao(NCNIPC of China)

[skierpage]

This fork is really old (version 0.93 from around 2010) and out of date. @vbwagner changed the find_file() function in commit 1202f84b in November 2014, and that fixes this bug.