From owner-freebsd-bugs Sun Apr 21 22:10:03 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id WAA10236 for bugs-outgoing; Sun, 21 Apr 1996 22:10:03 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id WAA10226 Sun, 21 Apr 1996 22:10:01 -0700 (PDT) Resent-Date: Sun, 21 Apr 1996 22:10:01 -0700 (PDT) Resent-Message-Id: <199604220510.WAA10226@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, mmead@Glock.COM Received: from neon.Glock.COM (neon.glock.com [198.82.228.159]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id WAA09894 for ; Sun, 21 Apr 1996 22:03:14 -0700 (PDT) Received: (from mmead@localhost) by neon.Glock.COM (8.7.5/8.7.3) id BAA01235; Mon, 22 Apr 1996 01:03:08 -0400 (EDT) Message-Id: <199604220503.BAA01235@neon.Glock.COM> Date: Mon, 22 Apr 1996 01:03:08 -0400 (EDT) From: mmead@Glock.COM Reply-To: mmead@Glock.COM To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/1153: fmt segfaults Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 1153 >Category: bin >Synopsis: fmt segfaults when it receives an empty line of input >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Apr 21 22:10:00 PDT 1996 >Last-Modified: >Originator: matthew c. mead >Organization: Glock Telecommunications >Release: FreeBSD neon.Glock.COM 2.2-CURRENT FreeBSD 2.2-CURRENT #0: Sat Apr 20 18:54:24 EDT 1996 mmead@neon.Glock.COM:/home/src/sys/compile/NEON i386 >Environment: As far as I can tell, it happens no matter what the environment in your shell is, no matter what user you are, etc. >Description: When accepting input for formatting, fmt gets a segmentation fault when it attempts to process an empty line of text. The problem is at line 175 of /usr/src/usr.bin/fmt/fmt.c, and occurs because on an empty line of text, no space is allocated to linebuf, which the assignment *cp = '\0' dereferences. This is the first of such problems, and (cp == NULL) checks need to be implemented. >How-To-Repeat: echo "" | fmt >Fix: I've hacked on /usr/src/usr.bin/fmt/fmt.c and think I've got the problem all figured out and fixed. Here's a patch. I've tested it fairly thoroughly, but someone else might want to go through it. --- /usr/src/usr.bin/fmt/fmt.c-dist Mon Apr 22 00:43:43 1996 +++ /usr/src/usr.bin/fmt/fmt.c Mon Apr 22 00:53:41 1996 @@ -172,7 +172,9 @@ *cp++ = c; c = getc(fi); } - *cp = '\0'; + if (cp != NULL) { + *cp = '\0'; + } /* * Toss anything remaining on the input line. @@ -186,7 +188,7 @@ col = 0; cp = linebuf; cp2 = canonb; - while (cc = *cp++) { + while ((cp != NULL) && (cc = *cp++)) { if (cc != '\t') { col++; if (cp2 - canonb >= cbufsize) { @@ -217,12 +219,16 @@ /* * Swipe trailing blanks from the line. */ - for (cp2--; cp2 >= canonb && *cp2 == ' '; cp2--) - ; - *++cp2 = '\0'; - prefix(canonb); - if (c != EOF) + if (cp != NULL) { + for (cp2--; cp2 >= canonb && *cp2 == ' '; cp2--) + ; + *++cp2 = '\0'; + prefix(canonb); + if (c != EOF) + c = getc(fi); + } else { c = getc(fi); + } } } >Audit-Trail: >Unformatted: