[BusyBox 0004374]: tr [= buffer overflow

bugs at busybox.net bugs at busybox.net
Mon Jul 28 06:43:52 UTC 2008


The following issue has been SUBMITTED. 
====================================================================== 
http://busybox.net/bugs/view.php?id=4374 
====================================================================== 
Reported By:                cristic
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   4374
Category:                   Other
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     assigned
====================================================================== 
Date Submitted:             07-27-2008 23:43 PDT
Last Modified:              07-27-2008 23:43 PDT
====================================================================== 
Summary:                    tr [= buffer overflow
Description: 
Calling
  tr [= 

triggers a buffer overflow, which causes tr to process garbage data:

 53:        while (*arg) {
            ...
			/* "[xyz...", i=x, arg points to y */
136:			if (ENABLE_FEATURE_TR_EQUIV && i == '=') { /* [=CHAR=] */
				*buffer++ = *arg; /* copy CHAR */
				arg += 3;	/* skip CHAR=] */
				continue;
			}
            ...

When line tr.c:136 is hit, i is "=", and arg points just past the end of
the
original buffer. Then arg is incremented by 3, and the main loop at
tr.c:53
continues processing garbage data. 

====================================================================== 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
07-27-08 23:43  cristic        New Issue                                    
07-27-08 23:43  cristic        Status                   new => assigned     
07-27-08 23:43  cristic        Assigned To               => BusyBox         
======================================================================




More information about the busybox-cvs mailing list