In function readfile(), the buffer buf is free'd when readall() fails. This free can cause a crash, if the buffer passed by user of function is not malloc'ed one.

names_to_pid() is one usecase example here.
author: Ashwini Sharma <ak.ashwini1981@gmail.com> 2014-05-02 06:24:11 -0500
committer: Ashwini Sharma <ak.ashwini1981@gmail.com> 2014-05-02 06:24:11 -0500
commit: 26b21882bfd8a3712614e94dde41a5194dda7aee (patch)
tree: 9f936f5381b9237fa8f5fc4baa553302c9916ded /lib
parent: a547cf11686a878d2fd1a42a05719b78903009ad (diff)
download: toybox-26b21882bfd8a3712614e94dde41a5194dda7aee.tar.gz
1 files changed, 5 insertions, 3 deletions
diff --git a/lib/lib.c b/lib/lib.c
index c1029d20..670f6a71 100644
--- a/lib/lib.c
+++ b/lib/lib.c
@@ -323,9 +323,10 @@ off_t fdlength(int fd)
 
 // Read contents of file as a single nul-terminated string.
 // malloc new one if buf=len=0
-char *readfile(char *name, char *buf, off_t len)
+char *readfile(char *name, char *ibuf, off_t len)
 {
   int fd;
+  char *buf;
 
   fd = open(name, O_RDONLY);
   if (fd == -1) return 0;
@@ -335,12 +336,13 @@ char *readfile(char *name, char *buf, off_t len)
     // proc files don't report a length, so try 1 page minimum.
     if (len<4096) len = 4096;
   }
-  if (!buf) buf = xmalloc(len+1);
+  if (!ibuf) buf = xmalloc(len+1);
+  else buf = ibuf;
 
   len = readall(fd, buf, len-1);
   close(fd);
   if (len<0) {
-    free(buf);
+    if (ibuf != buf) free(buf);
     buf = 0;
   } else buf[len] = 0;
author	Ashwini Sharma <ak.ashwini1981@gmail.com>	2014-05-02 06:24:11 -0500
committer	Ashwini Sharma <ak.ashwini1981@gmail.com>	2014-05-02 06:24:11 -0500
commit	26b21882bfd8a3712614e94dde41a5194dda7aee (patch)
tree	9f936f5381b9237fa8f5fc4baa553302c9916ded /lib
parent	a547cf11686a878d2fd1a42a05719b78903009ad (diff)
download	toybox-26b21882bfd8a3712614e94dde41a5194dda7aee.tar.gz