Hi anonymous group, Thank you for your bugs report.
> ## Bug 1: > in the file :coreutils/sort.c:485 > > ``` > 485: char *str_k = llist_pop(&lst_k); > > i = 0; /* i==0 before comma, 1 after (-k3,6) */ > 488: while (*str_k) { > ``` > In the line 485, it call the fucntion`llist_pop`,but the fuction can return > the NULL. That code is surrounded by 'while(lst_k)', so the list always has at least one item and it should never return NULL. > ## Bug 2: > in the file :libbb/verror_msg.c: 100:3 > > ``` > 65: msg1 = realloc(msg, applet_len + used + strerr_len + msgeol_len + 3); > if (!msg1) { > msg[used++] = '\n'; /* overwrites NUL */ > applet_len = 0; > }else { > ... > } > if (msg != stack_msg) > 100: free(msg); > ``` > > In the line 65, if the size `applet_len + used + strerr_len + msgeol_len + 3` > passed to `realloc`function could overflow to `0`(such as 0x100000000 in 32 > bit system), it could cause double free at line 100 in glibc. > > We should better to check the size passed to `realloc` fuction whether could > be `0`. Not only 0, but smaller than expected if the final size is truncated. Thanks, Xabier Oneca_,,_ _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox