Date: Mon, 22 Apr 1996 01:03:08 -0400 (EDT) From: mmead@Glock.COM To: FreeBSD-gnats-submit@freebsd.org Subject: bin/1153: fmt segfaults Message-ID: <199604220503.BAA01235@neon.Glock.COM> Resent-Message-ID: <199604220510.WAA10226@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1153
>Category: bin
>Synopsis: fmt segfaults when it receives an empty line of input
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Apr 21 22:10:00 PDT 1996
>Last-Modified:
>Originator: matthew c. mead
>Organization:
Glock Telecommunications
>Release: FreeBSD neon.Glock.COM 2.2-CURRENT FreeBSD 2.2-CURRENT #0: Sat Apr 20 18:54:24 EDT 1996 mmead@neon.Glock.COM:/home/src/sys/compile/NEON i386
>Environment:
As far as I can tell, it happens no matter what the
environment in your shell is, no matter what user you are, etc.
>Description:
When accepting input for formatting, fmt gets a
segmentation fault when it attempts to process an empty line of
text. The problem is at line 175 of /usr/src/usr.bin/fmt/fmt.c,
and occurs because on an empty line of text, no space is
allocated to linebuf, which the assignment *cp = '\0'
dereferences. This is the first of such problems, and
(cp == NULL) checks need to be implemented.
>How-To-Repeat:
echo "" | fmt
>Fix:
I've hacked on /usr/src/usr.bin/fmt/fmt.c and think I've
got the problem all figured out and fixed. Here's a patch. I've
tested it fairly thoroughly, but someone else might want to go
through it.
--- /usr/src/usr.bin/fmt/fmt.c-dist Mon Apr 22 00:43:43 1996
+++ /usr/src/usr.bin/fmt/fmt.c Mon Apr 22 00:53:41 1996
@@ -172,7 +172,9 @@
*cp++ = c;
c = getc(fi);
}
- *cp = '\0';
+ if (cp != NULL) {
+ *cp = '\0';
+ }
/*
* Toss anything remaining on the input line.
@@ -186,7 +188,7 @@
col = 0;
cp = linebuf;
cp2 = canonb;
- while (cc = *cp++) {
+ while ((cp != NULL) && (cc = *cp++)) {
if (cc != '\t') {
col++;
if (cp2 - canonb >= cbufsize) {
@@ -217,12 +219,16 @@
/*
* Swipe trailing blanks from the line.
*/
- for (cp2--; cp2 >= canonb && *cp2 == ' '; cp2--)
- ;
- *++cp2 = '\0';
- prefix(canonb);
- if (c != EOF)
+ if (cp != NULL) {
+ for (cp2--; cp2 >= canonb && *cp2 == ' '; cp2--)
+ ;
+ *++cp2 = '\0';
+ prefix(canonb);
+ if (c != EOF)
+ c = getc(fi);
+ } else {
c = getc(fi);
+ }
}
}
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199604220503.BAA01235>