[BusyBox 0004354]: tr buffer overflow (invalid read)

bugs at busybox.net bugs at busybox.net
Sun Jul 27 23:38:42 PDT 2008 

A NOTE has been added to this issue. 
====================================================================== 
http://busybox.net/bugs/view.php?id=4354 
====================================================================== 
Reported By:                cristic
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   4354
Category:                   Other
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     assigned
====================================================================== 
Date Submitted:             07-25-2008 16:25 PDT
Last Modified:              07-27-2008 23:38 PDT
====================================================================== 
Summary:                    tr buffer overflow (invalid read)
Description: 
Using [ in the set of characters to be translated/squeezed/deleted by tr 
can cause a buffer overflow.  Here is the simplest example:

tr [

Or tr -d [, for an example compatible w/ Coreutils.

The problem is in the function expand(), file tr.c:
tr.c:73   - arg is incremented to point past the end of the buffer holding
"["
tr.c:141  - arg, which now points to invalid memory, is dereferenced

A much more minor issue is that Busybox accepts tr [, while Coreutils
rejects it:
$ coreutils/tr [
tr: missing operand after `['
Two strings must be given when translating.
Try `tr --help' for more information.

====================================================================== 

---------------------------------------------------------------------- 
 vda - 07-26-08 07:35  
---------------------------------------------------------------------- 
Please try attached 4.patch 

---------------------------------------------------------------------- 
 cristic - 07-27-08 23:38  
---------------------------------------------------------------------- 
Thanks, this does fix the problem, so we should close this report.  Our
tool 
finds a similar bug in tr, but I'll report it in another thread (which
makes 
it easier for me to keep track of my reports). 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
07-25-08 16:25  cristic        New Issue                                    
07-25-08 16:25  cristic        Status                   new => assigned     
07-25-08 16:25  cristic        Assigned To               => BusyBox         
07-25-08 16:26  cristic        Issue Monitored: cristic                     
07-26-08 07:35  vda            File Added: 4.patch                          
07-26-08 07:35  vda            Note Added: 0010024                          
07-27-08 23:35  cristic        Note Added: 0010074                          
07-27-08 23:36  cristic        Note Deleted: 0010074                        
07-27-08 23:38  cristic        Note Added: 0010084                          
======================================================================

More information about the busybox-cvs mailing list