svn commit: trunk/busybox/coreutils

vda at busybox.net vda at busybox.net
Wed Jul 30 22:58:19 UTC 2008


Author: vda
Date: 2008-07-30 15:58:18 -0700 (Wed, 30 Jul 2008)
New Revision: 22992

Log:
tr: fix yet another access past the end of a string (bug 4374)



Modified:
   trunk/busybox/coreutils/tr.c


Changeset:
Modified: trunk/busybox/coreutils/tr.c
===================================================================
--- trunk/busybox/coreutils/tr.c	2008-07-30 21:23:26 UTC (rev 22991)
+++ trunk/busybox/coreutils/tr.c	2008-07-30 22:58:18 UTC (rev 22992)
@@ -145,12 +145,14 @@
 				arg--; /* points to x */
 				continue; /* copy all, including eventual ']' */
 			}
-			/* [x-y...] */
-			arg++;
+			/* [x-z] */
+			arg++; /* skip - */
+			if (arg[0] == '\0' || arg[1] != ']')
+				bb_show_usage();
 			ac = *arg++;
 			while (i <= ac)
 				*buffer++ = i++;
-			arg++;	/* skip the assumed ']' */
+			arg++;	/* skip ] */
 			continue;
 		}
 		*buffer++ = *arg++;




More information about the busybox-cvs mailing list