Date: Thu, 13 Aug 2009 10:00:15 GMT From: Fredrik Lindberg <fli@shapeshifter.se> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/137707: -CURRENT ee(1) segfaults when seeking to an out-of-bound line number Message-ID: <200908131000.n7DA0F2w031995@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/137707; it has been noted by GNATS. From: Fredrik Lindberg <fli@shapeshifter.se> To: bug-followup@FreeBSD.org, deeptech71@gmail.com Cc: hugh.mahon@cwx.net Subject: Re: bin/137707: -CURRENT ee(1) segfaults when seeking to an out-of-bound line number Date: Thu, 13 Aug 2009 11:50:42 +0200 This is a multi-part message in MIME format. --------------060704070207090201020407 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit The version of ee.c in contrib/ee initialize char *direction to NULL, the value of this pointer is then calculated depending on if the cursor should move up and down. Without any next lines, the pointer is never initialized before fed to strcmp() which segfaults on the NULL pointer. This bug is only triggered if the cursor is at the last line and one attempts to move down. To minimize the changes of the contrib source it's easiest to just initialize direction to "d", this should have no impact as the pointer is changed when possible and moving "down" 0 lines has no effect. CCed the upstream author as the sources in the tree (1.5.0) looks identical in this aspect. Hugh, any particular reason direction isn't just a char? I might be missing something but it seems it's only used with lines containing one character only. Fredrik Program received signal SIGSEGV, Segmentation fault. 0x281a4ec8 in strcmp () from /lib/libc.so.7 #1 0x0804cda6 in goto_line (cmd_str=0x28217102 "2") at /usr/home/fli/work/freebsd/src/usr.bin/ee/../../contrib/ee/ee.c:2027 2027 if (!strcmp(direction, "d")) (gdb) print direction $1 = 0x0 (gdb) print number $4 = 2 (gdb) print t_line->line_number $5 = 1 (gdb) print t_line->next_line $6 = (struct text *) 0x0 --------------060704070207090201020407 Content-Type: text/plain; name="ee.c-patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ee.c-patch" Index: ee.c =================================================================== --- ee.c (revision 196171) +++ ee.c (working copy) @@ -1993,7 +1993,7 @@ int number; int i; char *ptr; - char *direction = NULL; + char *direction = "d"; struct text *t_line; ptr = cmd_str; --------------060704070207090201020407--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908131000.n7DA0F2w031995>