Bug 12966 - A null pointer dereference in uclibc/libc/stdio/fread.c leads to a crash
Summary: A null pointer dereference in uclibc/libc/stdio/fread.c leads to a crash
Status: NEW
Alias: None
Product: uClibc
Classification: Unclassified
Component: stdio (show other bugs)
Version: unspecified
Hardware: All Linux
: P5 critical
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-29 14:30 UTC by Peiyu Liu
Modified: 2020-05-29 14:30 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peiyu Liu 2020-05-29 14:30:11 UTC 
In function fread_unlocked() in uclibc/libc/stdio/fread.c (https://git.uclibc.org/uClibc/tree/libc/stdio/fread.c),

    14 size_t fread_unlocked(void * __restrict ptr, size_t size, size_t nmemb,
    15 	 				FILE * __restrict stream)
    16 {
    17   __STDIO_STREAM_VALIDATE(stream);
    18   assert(stream->__filedes >= -1);
    ...

at line 18, argument stream is dereferenced without any check. However, the caller may pass a NULL pointer here, i.e., a null pointer dereference may occur.

I have dynamically tested this bug, it leads to a crash at runtime.

Maybe we can fix this bug by checking stream before use it, such as:

if (stream)
     assert(stream->__filedes >= -1);
else
     ...(handle the error ...)