Hello coreutils maintainers,
I would like to report a potential NULL pointer dereference issue found in
the expr utility source code.
File: src/expr.c
Function: tostring
Line: around 459
Version: coreutils latest
Severity: Low (extremely unlikely, only occurs if memory allocator failed)
Description:
In the function tostring(), the return value of mpz_get_str(NULL, 10,
v->u.i)
is not checked before use. If memory allocation fails, mpz_get_str() may
return NULL.
The code then assigns this NULL pointer to v->u.s. Later, in functions such
as
eval2(), string operations like strcoll(l->u.s, r->u.s) can dereference the
NULL
pointer and cause a crash.
Example call path:
eval -> eval1 -> eval2 -> tostring
Relevant code snippet:
case integer:
v->u.s = mpz_get_str (NULL, 10, v->u.i);
mpz_clear (v->u.i);
v->type = string;
break;
Reasoning:
By default, GMP aborts on allocation failure, but this behavior can be
changed
by registering custom memory functions. If such a configuration is used, the
current code may continue execution with a NULL pointer, leading to
undefined
behavior or crash. Adding a defensive check would make the code robust in
both
default and customized environments.
Best regards,
CheckScope
