[Bug 12966] New: A null pointer dereference in uclibc/libc/stdio/fread.c leads to a crash

bugzilla at busybox.net bugzilla at busybox.net
Fri May 29 14:30:11 UTC 2020


https://bugs.busybox.net/show_bug.cgi?id=12966

            Bug ID: 12966
           Summary: A null pointer dereference in
                    uclibc/libc/stdio/fread.c leads to a crash
           Product: uClibc
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P5
         Component: stdio
          Assignee: unassigned at uclibc.org
          Reporter: liupeiyu at zju.edu.cn
                CC: uclibc-cvs at uclibc.org
  Target Milestone: ---

In function fread_unlocked() in uclibc/libc/stdio/fread.c
(https://git.uclibc.org/uClibc/tree/libc/stdio/fread.c),

    14 size_t fread_unlocked(void * __restrict ptr, size_t size, size_t nmemb,
    15                                  FILE * __restrict stream)
    16 {
    17   __STDIO_STREAM_VALIDATE(stream);
    18   assert(stream->__filedes >= -1);
    ...

at line 18, argument stream is dereferenced without any check. However, the
caller may pass a NULL pointer here, i.e., a null pointer dereference may
occur.

I have dynamically tested this bug, it leads to a crash at runtime.

Maybe we can fix this bug by checking stream before use it, such as:

if (stream)
     assert(stream->__filedes >= -1);
else
     ...(handle the error ...)

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the uClibc-cvs mailing list