[BusyBox 0004374]: tr [= buffer overflow
bugs at busybox.net
bugs at busybox.net
Mon Jul 28 06:43:52 UTC 2008
The following issue has been SUBMITTED.
======================================================================
http://busybox.net/bugs/view.php?id=4374
======================================================================
Reported By: cristic
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 4374
Category: Other
Reproducibility: always
Severity: minor
Priority: normal
Status: assigned
======================================================================
Date Submitted: 07-27-2008 23:43 PDT
Last Modified: 07-27-2008 23:43 PDT
======================================================================
Summary: tr [= buffer overflow
Description:
Calling
tr [=
triggers a buffer overflow, which causes tr to process garbage data:
53: while (*arg) {
...
/* "[xyz...", i=x, arg points to y */
136: if (ENABLE_FEATURE_TR_EQUIV && i == '=') { /* [=CHAR=] */
*buffer++ = *arg; /* copy CHAR */
arg += 3; /* skip CHAR=] */
continue;
}
...
When line tr.c:136 is hit, i is "=", and arg points just past the end of
the
original buffer. Then arg is incremented by 3, and the main loop at
tr.c:53
continues processing garbage data.
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
07-27-08 23:43 cristic New Issue
07-27-08 23:43 cristic Status new => assigned
07-27-08 23:43 cristic Assigned To => BusyBox
======================================================================
More information about the busybox-cvs
mailing list