NULL pointer dereference in the process_raw_blocks() function

[fcambus]

Hi,

While fuzzing peg-markdown with Honggfuzz, I found a NULL pointer dereference in the process_raw_blocks() function.

Attaching a reproducer (gzipped so GitHub accepts it): test01.md.gz

Issue can be reproduced by running:

markdown test01.md

AddressSanitizer:DEADLYSIGNAL
=================================================================
==641623==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00000056945a bp 0x7ffeff8c0680 sp 0x7ffeff8c05b0 T0)
==641623==The signal is caused by a READ memory access.
==641623==Hint: address points to the zero page.
    #0 0x56945a in process_raw_blocks /home/fcambus/peg-markdown/markdown_lib.c:131:41
    #1 0x569616 in process_raw_blocks /home/fcambus/peg-markdown/markdown_lib.c:139:33
    #2 0x569089 in markdown_to_g_string /home/fcambus/peg-markdown/markdown_lib.c:161:14
    #3 0x5696e0 in markdown_to_string /home/fcambus/peg-markdown/markdown_lib.c:177:11
    #4 0x4c4bbc in main /home/fcambus/peg-markdown/markdown.c:180:11
    #5 0x7f71b46590b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x41c43d in _start (/home/fcambus/peg-markdown/markdown+0x41c43d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fcambus/peg-markdown/markdown_lib.c:131:41 in process_raw_blocks
==641623==ABORTING

[jgm]

Thank you. I should perhaps clarify in the README that this is essentially an unmaintained package.

[fcambus]

Ah, makes sense. I had requested a CVE number just after posting that
issue, before seeing your answer. FWIW, this got assigned CVE-2020-25821.