From owner-freebsd-bugs@FreeBSD.ORG Thu Aug 13 10:00:16 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F706106566C for ; Thu, 13 Aug 2009 10:00:16 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 477378FC47 for ; Thu, 13 Aug 2009 10:00:16 +0000 (UTC) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n7DA0FEW031998 for ; Thu, 13 Aug 2009 10:00:15 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n7DA0F2w031995; Thu, 13 Aug 2009 10:00:15 GMT (envelope-from gnats) Date: Thu, 13 Aug 2009 10:00:15 GMT Message-Id: <200908131000.n7DA0F2w031995@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Fredrik Lindberg Cc: Subject: Re: bin/137707: -CURRENT ee(1) segfaults when seeking to an out-of-bound line number X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Fredrik Lindberg List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Aug 2009 10:00:16 -0000 The following reply was made to PR bin/137707; it has been noted by GNATS. From: Fredrik Lindberg To: bug-followup@FreeBSD.org, deeptech71@gmail.com Cc: hugh.mahon@cwx.net Subject: Re: bin/137707: -CURRENT ee(1) segfaults when seeking to an out-of-bound line number Date: Thu, 13 Aug 2009 11:50:42 +0200 This is a multi-part message in MIME format. --------------060704070207090201020407 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit The version of ee.c in contrib/ee initialize char *direction to NULL, the value of this pointer is then calculated depending on if the cursor should move up and down. Without any next lines, the pointer is never initialized before fed to strcmp() which segfaults on the NULL pointer. This bug is only triggered if the cursor is at the last line and one attempts to move down. To minimize the changes of the contrib source it's easiest to just initialize direction to "d", this should have no impact as the pointer is changed when possible and moving "down" 0 lines has no effect. CCed the upstream author as the sources in the tree (1.5.0) looks identical in this aspect. Hugh, any particular reason direction isn't just a char? I might be missing something but it seems it's only used with lines containing one character only. Fredrik Program received signal SIGSEGV, Segmentation fault. 0x281a4ec8 in strcmp () from /lib/libc.so.7 #1 0x0804cda6 in goto_line (cmd_str=0x28217102 "2") at /usr/home/fli/work/freebsd/src/usr.bin/ee/../../contrib/ee/ee.c:2027 2027 if (!strcmp(direction, "d")) (gdb) print direction $1 = 0x0 (gdb) print number $4 = 2 (gdb) print t_line->line_number $5 = 1 (gdb) print t_line->next_line $6 = (struct text *) 0x0 --------------060704070207090201020407 Content-Type: text/plain; name="ee.c-patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ee.c-patch" Index: ee.c =================================================================== --- ee.c (revision 196171) +++ ee.c (working copy) @@ -1993,7 +1993,7 @@ int number; int i; char *ptr; - char *direction = NULL; + char *direction = "d"; struct text *t_line; ptr = cmd_str; --------------060704070207090201020407--