[BusyBox 0004544]: cut reads/writes invalid memory for certain inputs

bugs at busybox.net bugs at busybox.net
Mon Aug 11 04:58:33 UTC 2008 

The following issue has been SUBMITTED. 
====================================================================== 
http://busybox.net/bugs/view.php?id=4544 
====================================================================== 
Reported By:                cristic
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   4544
Category:                   Other
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     assigned
====================================================================== 
Date Submitted:             08-10-2008 21:58 PDT
Last Modified:              08-10-2008 21:58 PDT
====================================================================== 
Summary:                    cut reads/writes invalid memory for certain inputs
Description: 
I think the problem occurs when you have lines containing only
delimiters.

Here is a simple example:

cut -f- A

where A contains "\t\n" (one tab, one newline)


53: char *printed = xzalloc(linelen * sizeof(char));
...
125:                    for (; cl_pos < nlists && line; cl_pos++) {
126:                            spos = cut_lists[cl_pos].startpos;
127:                            do {
128:                                    /* find the field we're looking
for */
129:                                    while (line && ndelim < spos) {
130:                                            field = strsep(&line,
delimiter);
131:						ndelim++;
132:					}
133:
134:					/* we found it, and it hasn't been printed yet */
135:					if (field && ndelim == spos && !printed[ndelim]) {
...
142:						printed[ndelim] = 'X';

On cut.c:53, the buffer printed is allocated.  In our example it has
size 1.  On the first iteration through the loop on line 125, line is
"\t".  The call to strsep on line 130 returns "" and sets line to "".

Since line is not NULL, a second iteration through the do-while loop
is performed.  This time the call to strsep sets line to NULL.  When
line 135 is executed again, printed is indexed by ndelim, which now
has value 1, and so printed[ndelim] reads past the buffer printed.
Later, on line 142, this invalid location is also written.

I think the fix might be to simply increase the size of printed by 1,
but I haven't looked closely enough at the code.

Thanks,
Cristian

====================================================================== 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
08-10-08 21:58  cristic        New Issue                                    
08-10-08 21:58  cristic        Status                   new => assigned     
08-10-08 21:58  cristic        Assigned To               => BusyBox         
======================================================================

More information about the busybox-cvs mailing list