0004694: hexdump segfault/NULL pointer dereference
Denys Vlasenko
vda.linux at googlemail.com
Sat Aug 23 23:16:02 UTC 2008
On Friday 22 August 2008 06:28, Cristian Cadar wrote:
> http://bugs.busybox.net/view.php?id=4694
>
> hexdump -e ""
>
> segfaults on my machine due to a NULL pointer dereference.
Exists at least since 1.9.x
> 56: dumper_t *dumper = alloc_dumper();
>
> ...
> 86: if (ch == 'e') {
> 87: bb_dump_add(dumper, optarg);
> ...
> 116: return bb_dump_dump(dumper, argv);
>
> The problem is as follows: hexdump.c:56 allocates a new dumper, and
> later hexdump.c:87 sets dumper->fshead to point to {nextfs = 0x0,
> nextfu = 0x0, bcnt = 0}. Then bb_dump_dump() is called, which in
> turn calls rewrite(dumper, tfs) with tfs=dumper->fshead:
>
> 301: for (fu = fs->nextfu;; fu = fu->nextfu) {
> 302: if (!fu->nextfu && fs->bcnt < dumper->blocksize
> && !(fu->flags & F_SETREP) && fu->bcnt
> ) {
>
> On dump.c:301, fu is set to fs->nextfu, which is NULL. Then on line
> 302, fu is dereferenced, causing a NULL pointer dereference.
>
> Is line 301 supposed to be "for (fu = fs->nextfu; fu; fu = fu->nextfu)"?
Probably yes, I changed it like you suggested. Thanks.
--
vda
More information about the busybox
mailing list