0004694: hexdump segfault/NULL pointer dereference

Denys Vlasenko vda.linux at googlemail.com
Sat Aug 23 23:16:02 UTC 2008


On Friday 22 August 2008 06:28, Cristian Cadar wrote:
> http://bugs.busybox.net/view.php?id=4694
> 
> hexdump -e ""
> 
> segfaults on my machine due to a NULL pointer dereference.

Exists at least since 1.9.x

> 56: dumper_t *dumper = alloc_dumper();
> 
> ...
> 86: if (ch == 'e') {
> 87:     bb_dump_add(dumper, optarg);
> ...
> 116: return bb_dump_dump(dumper, argv);
> 
> The problem is as follows: hexdump.c:56 allocates a new dumper, and
> later hexdump.c:87 sets dumper->fshead to point to {nextfs = 0x0,
> nextfu = 0x0, bcnt = 0}. Then bb_dump_dump() is called, which in 
> turn calls rewrite(dumper, tfs) with tfs=dumper->fshead:
> 
> 301: for (fu = fs->nextfu;; fu = fu->nextfu) {
> 302: if (!fu->nextfu && fs->bcnt < dumper->blocksize
>          && !(fu->flags & F_SETREP) && fu->bcnt
>         ) {
> 
> On dump.c:301, fu is set to fs->nextfu, which is NULL. Then on line 
> 302, fu is dereferenced, causing a NULL pointer dereference.
> 
> Is line 301 supposed to be "for (fu = fs->nextfu; fu; fu = fu->nextfu)"?

Probably yes, I changed it like you suggested. Thanks.
--
vda



More information about the busybox mailing list