Null pointer dereference in Sass::Eval::operator()(Sass::Supports_Operator*) eval.cpp

[zyingp]

I fuzzed and found another null pointer dereference problem in Sass::Eval::operator()(Sass::Supports_Operator*) eval.cpp. The problem exists in both the 3.5.5 version and the master branch (2018/12/2), with the same crash stack.

Build libsass/sassc with ASan:
CXX=clang++ CC=clang CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS=$CFLAGS make -C sassc -j4

Run ./sassc sass_npd and program crashes.
(sass_npd is at here: https://github.com/zyingp/temp/blob/master/sass_npd)

Crash stack

Crash stack (of master branch):

AddressSanitizer:DEADLYSIGNAL
=================================================================
==42416==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00010832659a bp 0x7ffee7ded890 sp 0x7ffee7ded5e0 T0)
==42416==The signal is caused by a READ memory access.
==42416==Hint: address points to the zero page.
    #0 0x108326599 in Sass::Eval::operator()(Sass::Supports_Operator*) eval.cpp:1326
    #1 0x107e9b3c6 in Sass::Supports_Operator::perform(Sass::Operation<Sass::Value*>*) ast_supports.hpp:73
    #2 0x1083693ed in Sass::Expand::operator()(Sass::Supports_Block*) expand.cpp:162
    #3 0x107e9b073 in Sass::Supports_Block::perform(Sass::Operation<Sass::Value*>*) ast_supports.hpp:45
    #4 0x10836305c in Sass::Expand::append_block(Sass::Block*) expand.cpp:807
    #5 0x108361950 in Sass::Expand::operator()(Sass::Block*) expand.cpp:72
    #6 0x107f82193 in Sass::Context::compile() context.cpp:678
    #7 0x107f7e9bb in Sass::File_Context::parse() context.cpp:605
    #8 0x108589400 in Sass::sass_parse_block(Sass_Compiler*) sass_context.cpp:234
    #9 0x108588b8a in sass_compiler_parse sass_context.cpp:483
    #10 0x1085882f9 in sass_compile_context(Sass_Context*, Sass::Context*) sass_context.cpp:371
    #11 0x10858871d in sass_compile_file_context sass_context.cpp:470
    #12 0x107e10796 in compile_file sassc.c:158
    #13 0x107e110d6 in main sassc.c:370
    #14 0x7fff701cb014 in start (libdyld.dylib:x86_64+0x1014)

==42416==Register values:
rax = 0x0000100000000000  rbx = 0x00007ffee7ded700  rcx = 0x0000000000000000  rdx = 0x0000100000000000  
rdi = 0x00007ffee7ded620  rsi = 0x00007ffee7ded620  rbp = 0x00007ffee7ded890  rsp = 0x00007ffee7ded5e0  
 r8 = 0x00001c18000003ed   r9 = 0x00001c18000003e0  r10 = 0x00001c18000003ed  r11 = 0xffffe0c118215698  
r12 = 0x00007ffee7deed70  r13 = 0x000060d000000450  r14 = 0x00007ffee7deed88  r15 = 0x000060d000000380  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV eval.cpp:1326 in Sass::Eval::operator()(Sass::Supports_Operator*)
==42416==ABORTING

It seems that in function Expression_Ptr Eval::operator()(Supports_Operator_Ptr c), the right variable (not Null) is casted and becomes a Null Supports_Condition SharedObj at line Cast<Supports_Condition>(right),.

  Expression_Ptr Eval::operator()(Supports_Operator_Ptr c)
  {
    Expression_Ptr left = c->left()->perform(this);
    Expression_Ptr right = c->right()->perform(this);
    Supports_Operator_Ptr cc = SASS_MEMORY_NEW(Supports_Operator,
                                 c->pstate(),
                                 Cast<Supports_Condition>(left),
                                 Cast<Supports_Condition>(right),
                                 c->operand());
    return cc;
  }

[glebm]

Minimal example:

@supports (foo: bar) or {
}

Dart Sass:

Error: expected "(".
@supports (foo: bar) or {
                        ^

Ruby Sass:

sass ~/tmp/npd.scss        
Error: Invalid CSS after "...(foo: bar) or  ": expected @supports condition (e.g. (display: flexbox)), was "{"