Hi, ALL
There is a null dereference in the stat_main of stat.c.
It doesn't check the result value of the next_printf? function which could
return null.
Test case: toybox -c "%%" file
-----------------------------------------------------
Best Regards,
李武刚
18698552630
#/******本邮件及其附件含有小米公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件!
This e-mail and its attachments contain confidential information from XIAOMI,
which is intended only for the person or entity whose address is listed above.
Any use of the information contained herein in any way (including, but not
limited to, total or partial disclosure, reproduction, or dissemination) by
persons other than the intended recipient(s) is prohibited. If you receive this
e-mail in error, please notify the sender by phone or email immediately and
delete it!******/#
From db6ed7317d7a4a7f154fe6761a2ddfde67841b9b Mon Sep 17 00:00:00 2001
From: liwugang <liwug...@xiaomi.com>
Date: Thu, 4 Apr 2019 18:45:59 +0800
Subject: [PATCH] stat: avoid null dereference.
When the specified format string has odd '%' in the end,
the next_printf function will return null. Checking
the result value before using it.
Signed-off-by: liwugang <liwug...@xiaomi.com>
---
toys/other/stat.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/toys/other/stat.c b/toys/other/stat.c
index d828534c..22b1b833 100644
--- a/toys/other/stat.c
+++ b/toys/other/stat.c
@@ -198,6 +198,7 @@ void stat_main(void)
if (*f != '%') putchar(*f);
else {
f = next_printf(f, &TT.pattern);
+ if (!f) error_exit("bad -c \"%s\"", format);
TT.patlen = f-TT.pattern;
if (TT.patlen>99) error_exit("bad %s", TT.pattern);
if (*f == 'n') strout(TT.file);
--
2.21.0
_______________________________________________
Toybox mailing list
Toybox@lists.landley.net
http://lists.landley.net/listinfo.cgi/toybox-landley.net
