[Bug 12961] New: A null pointer dereference in busybox/editors/diff.c results in a crash

bugzilla at busybox.net bugzilla at busybox.net
Fri May 29 14:07:45 UTC 2020


https://bugs.busybox.net/show_bug.cgi?id=12961

            Bug ID: 12961
           Summary: A null pointer dereference in busybox/editors/diff.c
                    results in a crash
           Product: Busybox
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P5
         Component: Other
          Assignee: unassigned at busybox.net
          Reporter: liupeiyu at zju.edu.cn
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

In function diffreg(char *file[2]) of busybox/editors/diff.c,

    744 fp[i] = fdopen(fd, "r");
    ...
    753 i = fread(buf0, 1, sz, fp[0]);
    754 j = fread(buf1, 1, sz, fp[1]);


at line 744, when fdopen() fails, fp[i] will be NULL; then, at line 753, fp[0]
is used without any check. Finally, fp[0] will be dereferenced in fread without
any check (at least fread in uclibc does not check this pointer), i.e., a null
pointer dereference occurs. fp[1] in line 754 is the same case.

I have dynamically tested this bug, it leads to a crash at runtime.

Maybe we can fix this bug by checking fp[0] before use it, such as:

if (fp[0])
     i = fread(buf0, 1, sz, fp[0]);
else
     ... (goto out?)

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list