[Bug 14956] A use-after-free in busybox's bc applet
bugzilla at busybox.net
bugzilla at busybox.net
Thu Aug 18 14:23:37 UTC 2022
https://bugs.busybox.net/show_bug.cgi?id=14956
--- Comment #3 from Denys Vlasenko <vda.linux at googlemail.com> ---
I can't reproduce it.
Does this fix work for you?
--- a/miscutils/bc.c
+++ b/miscutils/bc.c
@@ -2892,6 +2892,8 @@ static char peek_inbuf(void)
) {
xc_read_line(&G.input_buffer, G.prs.lex_input_fp);
G.prs.lex_inbuf = G.input_buffer.v;
+ /* lex_next_at may point to now-freed data, update it */
+ G.prs.lex_next_at = G.prs.lex_inbuf;
if (G.input_buffer.len <= 1) // on EOF, len is 1 (NUL byte)
G.prs.lex_input_fp = NULL;
}
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list