Darren Kenny wrote: > All other instances of call to __argp_failure() where there is > a dgettext() call first check whether the valie of state is NULL > before attempting to dereference it to get the root_argp->argp_domain. > > This was originally found during a Coverity scan of GRUB2.
Thanks. I confirm that that is a possible NULL dereference here. I've applied your patch. The notation '(tiny change) is explained in <https://www.gnu.org/prep/maintain/html_node/Legally-Significant.html>. 2021-06-18 Darren Kenny <[email protected]> (tiny change) argp: Avoid possible NULL access in argp_help. Reported by Coverity. The invocation chain is: argp_help -> _help -> fill_in_uparams -> validate_uparams. * lib/argp-help.c (validate_uparams): Don't crash if state == NULL. diff --git a/lib/argp-help.c b/lib/argp-help.c index 4c89697..80cdb44 100644 --- a/lib/argp-help.c +++ b/lib/argp-help.c @@ -147,7 +147,8 @@ validate_uparams (const struct argp_state *state, struct uparams *upptr) if (*(int *)((char *)upptr + up->uparams_offs) >= upptr->rmargin) { __argp_failure (state, 0, 0, - dgettext (state->root_argp->argp_domain, + dgettext (state == NULL ? NULL + : state->root_argp->argp_domain, "\ ARGP_HELP_FMT: %s value is less than or equal to %s"), "rmargin", up->name);
