Hi anonymous group,
Thank you for your bugs report.
> ## Bug 1:
> in the file :coreutils/sort.c:485
>
> ```
> 485: char *str_k = llist_pop(&lst_k);
>
> i = 0; /* i==0 before comma, 1 after (-k3,6) */
> 488: while (*str_k) {
> ```
> In the line 485, it call the fucntion`llist_pop`,but the fuction can return
> the NULL.
That code is surrounded by 'while(lst_k)', so the list always has at
least one item and it should never return NULL.
> ## Bug 2:
> in the file :libbb/verror_msg.c: 100:3
>
> ```
> 65: msg1 = realloc(msg, applet_len + used + strerr_len + msgeol_len + 3);
> if (!msg1) {
> msg[used++] = '\n'; /* overwrites NUL */
> applet_len = 0;
> }else {
> ...
> }
> if (msg != stack_msg)
> 100: free(msg);
> ```
>
> In the line 65, if the size `applet_len + used + strerr_len + msgeol_len + 3`
> passed to `realloc`function could overflow to `0`(such as 0x100000000 in 32
> bit system), it could cause double free at line 100 in glibc.
>
> We should better to check the size passed to `realloc` fuction whether could
> be `0`.
Not only 0, but smaller than expected if the final size is truncated.
Thanks,
Xabier Oneca_,,_
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
