Bug 15091

Summary: Busybox bc Calculator zxc_lex_next Function Stack Overflow
Product: Busybox Reporter: sohu0106 <sohu0106>
Component: Standard ComplianceAssignee: unassigned
Status: NEW ---    
Severity: normal CC: busybox-cvs
Priority: P5    
Version: 1.33.x   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:
Attachments: poc

Description sohu0106 2022-11-01 02:11:01 UTC 
Created attachment 9396 [details]
poc

1.
Busybox bc Calculator zxc_lex_next Function Stack Overflow 
busybox-master\busybox-1.33.1\miscutils\bc.c
In line 2971,stack overflow by &G.prs

2966 #define zbc_lex_token(...) (zbc_lex_token(__VA_ARGS__) COMMA_SUCCES     S)
2967 #define zdc_lex_token(...) (zdc_lex_token(__VA_ARGS__) COMMA_SUCCES     S)
2968
2969 static BC_STATUS zxc_lex_next(void)
2970 {
2971         BcParse *p = &G.prs;
2972         BcStatus s;
2973
2974         G.err_line = p->lex_line;
2975         p->lex_last = p->lex;
2976 //why?
2977 //      if (p->lex_last == XC_LEX_EOF)
2978 //              RETURN_STATUS(bc_error("end of file"));
2979

2 
Affected versions Busybox 1.33 



3 asan report

busybox-1.33.1/busybox_unstripped bc  id:000070,sig:11,src:000521,time:393476879,execs:45282546,op:havoc,rep:16

bc 1.33.1
Adapted from https://github.com/gavinhoward/bc
Original code (c) 2018 Gavin D. Howard and contributors
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1384283==ERROR: AddressSanitizer: stack-overflow on address 0x7ffeffc14fb8 (pc 0x55fdbe760cd8 bp 0x619000000580 sp 0x7ffeffc14fb8 T0)
    #0 0x55fdbe760cd7 in zxc_lex_next miscutils/bc.c:2971

SUMMARY: AddressSanitizer: stack-overflow miscutils/bc.c:2971 in zxc_lex_next
==1384283==ABORTING