[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: 0004694: hexdump segfault/NULL pointer dereference
From: Denys Vlasenko <vda.linux () googlemail ! com>
Date: 2008-08-23 23:16:02
Message-ID: 200808240116.02596.vda.linux () googlemail ! com
[Download RAW message or body]
On Friday 22 August 2008 06:28, Cristian Cadar wrote:
> http://bugs.busybox.net/view.php?id=4694
>
> hexdump -e ""
>
> segfaults on my machine due to a NULL pointer dereference.
Exists at least since 1.9.x
> 56: dumper_t *dumper = alloc_dumper();
>
> ...
> 86: if (ch == 'e') {
> 87: bb_dump_add(dumper, optarg);
> ...
> 116: return bb_dump_dump(dumper, argv);
>
> The problem is as follows: hexdump.c:56 allocates a new dumper, and
> later hexdump.c:87 sets dumper->fshead to point to {nextfs = 0x0,
> nextfu = 0x0, bcnt = 0}. Then bb_dump_dump() is called, which in
> turn calls rewrite(dumper, tfs) with tfs=dumper->fshead:
>
> 301: for (fu = fs->nextfu;; fu = fu->nextfu) {
> 302: if (!fu->nextfu && fs->bcnt < dumper->blocksize
> && !(fu->flags & F_SETREP) && fu->bcnt
> ) {
>
> On dump.c:301, fu is set to fs->nextfu, which is NULL. Then on line
> 302, fu is dereferenced, causing a NULL pointer dereference.
>
> Is line 301 supposed to be "for (fu = fs->nextfu; fu; fu = fu->nextfu)"?
Probably yes, I changed it like you suggested. Thanks.
--
vda
_______________________________________________
busybox mailing list
busybox@busybox.net
http://busybox.net/cgi-bin/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic