0004694: hexdump segfault/NULL pointer dereference

BusyBox Bug and Patch Tracking

Viewing Issue Simple Details [ Jump to Notes ]

[ View Advanced ] [ Issue History ] [ Print ]

Category

Severity

Reproducibility

Date Submitted

Last Update

0004694

[BusyBox] Other

crash

always

08-21-08 21:20

08-23-08 16:17

Reporter

cristic

View Status

public

Assigned To

BusyBox

Priority

normal

Resolution

fixed

Status

closed

Product Version

svn

Summary

0004694: hexdump segfault/NULL pointer dereference

Description

hexdump -e ""

segfaults on my machine due to NULL pointer dereference.

56: dumper_t *dumper = alloc_dumper();

...
86: if (ch == 'e') {
87: bb_dump_add(dumper, optarg);
...
116: return bb_dump_dump(dumper, argv);

The problem is as follows: hexdump.c:56 allocates a new dumper, and
later hexdump.c:86 sets dumper->fshead to point to {nextfs = 0x0,
nextfu = 0x0, bcnt = 0}. Then bb_dump_dump() is called, which in
turn calls rewrite(dumper, tfs) with tfs=dumper->fshead:

301: for (fu = fs->nextfu;; fu = fu->nextfu) {
302: if (!fu->nextfu && fs->bcnt < dumper->blocksize
&& !(fu->flags & F_SETREP) && fu->bcnt
) {

On dump.c:301, fu is set to fs->nextfu, which is NULL. Then on line
302, fu is dereferenced, causing a NULL pointer dereference.

Is line 301 supposed to be "for (fu = fs->nextfu; fu; fu = fu->nextfu)"?

Thanks,
Cristian

Additional Information

Attached Files

Relationships

Notes
(0010714) vda 08-23-08 16:17	fixed in rev 23190, thanks

Issue History
Date Modified	Username	Field	Change
08-21-08 21:20	cristic	New Issue
08-21-08 21:20	cristic	Status	new => assigned
08-21-08 21:20	cristic	Assigned To	=> BusyBox
08-23-08 16:17	vda	Status	assigned => closed
08-23-08 16:17	vda	Note Added: 0010714
08-23-08 16:17	vda	Resolution	open => fixed
08-23-08 16:17	vda	Fixed in Version	=> svn