From owner-freebsd-bugs@FreeBSD.ORG Wed Oct 6 10:20:23 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6589316A4CE for ; Wed, 6 Oct 2004 10:20:23 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 57EE043D48 for ; Wed, 6 Oct 2004 10:20:23 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i96AKNRa035622 for ; Wed, 6 Oct 2004 10:20:23 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i96AKNBT035621; Wed, 6 Oct 2004 10:20:23 GMT (envelope-from gnats) Date: Wed, 6 Oct 2004 10:20:23 GMT Message-Id: <200410061020.i96AKNBT035621@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Ruslan Ermilov Subject: Re: bin/72370: awk in -current dumps core X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Ruslan Ermilov List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Oct 2004 10:20:23 -0000 The following reply was made to PR bin/72370; it has been noted by GNATS. From: Ruslan Ermilov To: Joseph Koshy Cc: bug-followup@freebsd.org Subject: Re: bin/72370: awk in -current dumps core Date: Wed, 6 Oct 2004 13:17:57 +0300 On Wed, Oct 06, 2004 at 02:18:27AM +0000, Joseph Koshy wrote: > > awk in 5-current dumps core if asked to deference a positional > parameter at a large positive index. There also seems to be > numeric overflow occuring behind the scenes. The following > examples show the difference between GNU awk in 4-STABLE and > the awk in 5-current. > > $ echo | /5/usr/bin/awk '{ x = 2147483647; print $x }' > *core dump* > There's no bounds checking done when growing the "field table". What happens here is that realloc() is given "0" as the second argument, and later the code assumes that enough data has been allocated when in fact it was not. The below patch should check for all possible overflows by doing the reverse arithmetics. %%% Index: lib.c =================================================================== RCS file: /home/ncvs/src/contrib/one-true-awk/lib.c,v retrieving revision 1.1.1.3 diff -u -p -r1.1.1.3 lib.c --- lib.c 17 Mar 2003 07:59:58 -0000 1.1.1.3 +++ lib.c 6 Oct 2004 07:55:36 -0000 @@ -387,10 +387,15 @@ Cell *fieldadr(int n) /* get nth field * void growfldtab(int n) /* make new fields up to at least $n */ { int nf = 2 * nfields; + size_t s; if (n > nf) nf = n; - fldtab = (Cell **) realloc(fldtab, (nf+1) * (sizeof (struct Cell *))); + s = (nf+1) * (sizeof (struct Cell *)); + if (s / (sizeof (struct Cell *)) - 1 == nf) + fldtab = (Cell **) realloc(fldtab, s); + else + xfree(fldtab); if (fldtab == NULL) FATAL("out of space creating %d fields", nf); makefields(nfields+1, nf); %%% Cheers, -- Ruslan Ermilov ru@FreeBSD.org FreeBSD committer