[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: report two potential bugs
From: Xabier Oneca -- xOneca <xoneca () gmail ! com>
Date: 2020-10-12 21:02:20
Message-ID: CACkgH72-H_CA4U3snWF_Tm_FGij7BzuM17PZ5MD6KEadiBoxPQ () mail ! gmail ! com
[Download RAW message or body]
Hi anonymous group,
Thank you for your bugs report.
> ## Bug 1:
> in the file :coreutils/sort.c:485
>
> ```
> 485: char *str_k = llist_pop(&lst_k);
>
> i = 0; /* i==0 before comma, 1 after (-k3,6) */
> 488: while (*str_k) {
> ```
> In the line 485, it call the fucntion`llist_pop`,but the fuction can return the \
> NULL.
That code is surrounded by 'while(lst_k)', so the list always has at
least one item and it should never return NULL.
> ## Bug 2:
> in the file :libbb/verror_msg.c: 100:3
>
> ```
> 65: msg1 = realloc(msg, applet_len + used + strerr_len + msgeol_len + 3);
> if (!msg1) {
> msg[used++] = '\n'; /* overwrites NUL */
> applet_len = 0;
> }else {
> ...
> }
> if (msg != stack_msg)
> 100: free(msg);
> ```
>
> In the line 65, if the size `applet_len + used + strerr_len + msgeol_len + 3` \
> passed to `realloc`function could overflow to `0`(such as 0x100000000 in 32 bit \
> system), it could cause double free at line 100 in glibc.
> We should better to check the size passed to `realloc` fuction whether could be \
> `0`.
Not only 0, but smaller than expected if the final size is truncated.
Thanks,
Xabier Oneca_,,_
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic