[BusyBox 0004354]: tr buffer overflow (invalid read)
bugs at busybox.net
bugs at busybox.net
Fri Jul 25 16:25:43 PDT 2008
The following issue has been SUBMITTED.
======================================================================
http://busybox.net/bugs/view.php?id=4354
======================================================================
Reported By: cristic
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 4354
Category: Other
Reproducibility: always
Severity: minor
Priority: normal
Status: assigned
======================================================================
Date Submitted: 07-25-2008 16:25 PDT
Last Modified: 07-25-2008 16:25 PDT
======================================================================
Summary: tr buffer overflow (invalid read)
Description:
Using [ in the set of characters to be translated/squeezed/deleted by tr
can cause a buffer overflow. Here is the simplest example:
tr [
Or tr -d [, for an example compatible w/ Coreutils.
The problem is in the function expand(), file tr.c:
tr.c:73 - arg is incremented to point past the end of the buffer holding
"["
tr.c:141 - arg, which now points to invalid memory, is dereferenced
A much more minor issue is that Busybox accepts tr [, while Coreutils
rejects it:
$ coreutils/tr [
tr: missing operand after `['
Two strings must be given when translating.
Try `tr --help' for more information.
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
07-25-08 16:25 cristic New Issue
07-25-08 16:25 cristic Status new => assigned
07-25-08 16:25 cristic Assigned To => BusyBox
======================================================================
More information about the busybox-cvs
mailing list