[Bug 12961] New: A null pointer dereference in busybox/editors/diff.c results in a crash
bugzilla at busybox.net
bugzilla at busybox.net
Fri May 29 14:07:45 UTC 2020
https://bugs.busybox.net/show_bug.cgi?id=12961
Bug ID: 12961
Summary: A null pointer dereference in busybox/editors/diff.c
results in a crash
Product: Busybox
Version: unspecified
Hardware: All
OS: Linux
Status: NEW
Severity: critical
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: liupeiyu at zju.edu.cn
CC: busybox-cvs at busybox.net
Target Milestone: ---
In function diffreg(char *file[2]) of busybox/editors/diff.c,
744 fp[i] = fdopen(fd, "r");
...
753 i = fread(buf0, 1, sz, fp[0]);
754 j = fread(buf1, 1, sz, fp[1]);
at line 744, when fdopen() fails, fp[i] will be NULL; then, at line 753, fp[0]
is used without any check. Finally, fp[0] will be dereferenced in fread without
any check (at least fread in uclibc does not check this pointer), i.e., a null
pointer dereference occurs. fp[1] in line 754 is the same case.
I have dynamically tested this bug, it leads to a crash at runtime.
Maybe we can fix this bug by checking fp[0] before use it, such as:
if (fp[0])
i = fread(buf0, 1, sz, fp[0]);
else
... (goto out?)
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list