Bug 12961 - A null pointer dereference in busybox/editors/diff.c results in a crash
Summary: A null pointer dereference in busybox/editors/diff.c results in a crash
Status: NEW
Alias: None
Product: Busybox
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: All Linux
: P5 critical
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-29 14:07 UTC by Peiyu Liu
Modified: 2020-05-29 14:09 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peiyu Liu 2020-05-29 14:07:45 UTC 
In function diffreg(char *file[2]) of busybox/editors/diff.c,

    744 fp[i] = fdopen(fd, "r");
    ...
    753 i = fread(buf0, 1, sz, fp[0]);
    754 j = fread(buf1, 1, sz, fp[1]);


at line 744, when fdopen() fails, fp[i] will be NULL; then, at line 753, fp[0] is used without any check. Finally, fp[0] will be dereferenced in fread without any check (at least fread in uclibc does not check this pointer), i.e., a null pointer dereference occurs. fp[1] in line 754 is the same case.

I have dynamically tested this bug, it leads to a crash at runtime.

Maybe we can fix this bug by checking fp[0] before use it, such as:

if (fp[0])
     i = fread(buf0, 1, sz, fp[0]);
else
     ... (goto out?)