BusyBox Bug and Patch Tracking
BusyBox
  

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0004354 [BusyBox] Other minor always 07-25-08 16:25 08-19-08 17:55
Reporter cristic View Status public  
Assigned To BusyBox
Priority normal Resolution fixed  
Status closed   Product Version svn
Summary 0004354: tr buffer overflow (invalid read)
Description Using [ in the set of characters to be translated/squeezed/deleted by tr
can cause a buffer overflow. Here is the simplest example:

tr [

Or tr -d [, for an example compatible w/ Coreutils.

The problem is in the function expand(), file tr.c:
tr.c:73 - arg is incremented to point past the end of the buffer holding "["
tr.c:141 - arg, which now points to invalid memory, is dereferenced

A much more minor issue is that Busybox accepts tr [, while Coreutils rejects it:
$ coreutils/tr [
tr: missing operand after `['
Two strings must be given when translating.
Try `tr --help' for more information.
Additional Information
Attached Files  4.patch [^] (542 bytes) 07-26-08 07:35

- Relationships

- Notes
(0010024)
vda
07-26-08 07:35

Please try attached 4.patch
 
(0010084)
cristic
07-27-08 23:38

Thanks, this does fix the problem, so we should close this report. Our tool
finds a similar bug in tr, but I'll report it in another thread (which makes
it easier for me to keep track of my reports).
 

- Issue History
Date Modified Username Field Change
07-25-08 16:25 cristic New Issue
07-25-08 16:25 cristic Status new => assigned
07-25-08 16:25 cristic Assigned To  => BusyBox
07-25-08 16:26 cristic Issue Monitored: cristic
07-26-08 07:35 vda File Added: 4.patch
07-26-08 07:35 vda Note Added: 0010024
07-27-08 23:35 cristic Note Added: 0010074
07-27-08 23:36 cristic Note Deleted: 0010074
07-27-08 23:38 cristic Note Added: 0010084
08-19-08 17:55 vda Status assigned => closed
08-19-08 17:55 vda Resolution open => fixed
08-19-08 17:55 vda Fixed in Version  => svn


Copyright © 2000 - 2006 Mantis Group
Powered by Mantis Bugtracker