Bug 12966

Summary: A null pointer dereference in uclibc/libc/stdio/fread.c leads to a crash
Product: uClibc Reporter: Peiyu Liu <liupeiyu>
Component: stdioAssignee: unassigned
Status: NEW ---    
Severity: critical CC: liupeiyu, uclibc-cvs
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:

Description Peiyu Liu 2020-05-29 14:30:11 UTC 
In function fread_unlocked() in uclibc/libc/stdio/fread.c (https://git.uclibc.org/uClibc/tree/libc/stdio/fread.c),

    14 size_t fread_unlocked(void * __restrict ptr, size_t size, size_t nmemb,
    15 	 				FILE * __restrict stream)
    16 {
    17   __STDIO_STREAM_VALIDATE(stream);
    18   assert(stream->__filedes >= -1);
    ...

at line 18, argument stream is dereferenced without any check. However, the caller may pass a NULL pointer here, i.e., a null pointer dereference may occur.

I have dynamically tested this bug, it leads to a crash at runtime.

Maybe we can fix this bug by checking stream before use it, such as:

if (stream)
     assert(stream->__filedes >= -1);
else
     ...(handle the error ...)