| Summary: | A null pointer dereference in busybox/editors/diff.c results in a crash | ||
|---|---|---|---|
| Product: | Busybox | Reporter: | Peiyu Liu <liupeiyu> |
| Component: | Other | Assignee: | unassigned |
| Status: | NEW --- | ||
| Severity: | critical | CC: | busybox-cvs, liupeiyu |
| Priority: | P5 | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Host: | Target: | ||
| Build: | |||
In function diffreg(char *file[2]) of busybox/editors/diff.c, 744 fp[i] = fdopen(fd, "r"); ... 753 i = fread(buf0, 1, sz, fp[0]); 754 j = fread(buf1, 1, sz, fp[1]); at line 744, when fdopen() fails, fp[i] will be NULL; then, at line 753, fp[0] is used without any check. Finally, fp[0] will be dereferenced in fread without any check (at least fread in uclibc does not check this pointer), i.e., a null pointer dereference occurs. fp[1] in line 754 is the same case. I have dynamically tested this bug, it leads to a crash at runtime. Maybe we can fix this bug by checking fp[0] before use it, such as: if (fp[0]) i = fread(buf0, 1, sz, fp[0]); else ... (goto out?)