From owner-freebsd-bugs Wed Nov 4 06:09:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA27989 for freebsd-bugs-outgoing; Wed, 4 Nov 1998 06:09:31 -0800 (PST) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA27982 for ; Wed, 4 Nov 1998 06:09:29 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.8/8.8.5) id GAA28990; Wed, 4 Nov 1998 06:00:01 -0800 (PST) Received: from math.psu.edu (leibniz.math.psu.edu [146.186.130.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA25774 for ; Wed, 4 Nov 1998 05:53:47 -0800 (PST) (envelope-from viro@math.psu.edu) Received: from hilbert.math.psu.edu (hilbert.math.psu.edu [146.186.130.197]) by math.psu.edu (8.8.5/8.7.3) with ESMTP id IAA07726 for ; Wed, 4 Nov 1998 08:53:38 -0500 (EST) Received: (viro@localhost) by hilbert.math.psu.edu (8.8.8/8.6.9) id IAA09242 for FreeBSD-gnats-submit@freebsd.org; Wed, 4 Nov 1998 08:53:38 -0500 (EST) Message-Id: <199811041353.IAA09242@hilbert.math.psu.edu> Date: Wed, 4 Nov 1998 08:53:38 -0500 (EST) From: viro@math.psu.edu Reply-To: viro@math.psu.edu To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: bin/8573: [PATCH] SIGSEGV in nvi 1.79 Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 8573 >Category: bin >Synopsis: nvi 1.79 SIGSEGVs on any address in .exrc >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Nov 4 06:00:01 PST 1998 >Last-Modified: >Originator: Al Viro >Organization: -ENOENT >Release: FreeBSD 2.2.7-RELEASE i386 >Environment: Any OS that doesn't like NULL dereferencing ;-/ Reproducable on 3.0, Linux, SunOS, Slowlaris... >Description: ex/ex.c::ex_badaddr(sp,ba,cp,nret) passes cp->name to ex_emsg() in case when sp->ep is NULL. It doesn't check for cp!=NULL. Bad, since in many places it is explicitly called in such setup. One of them (in ex/ex.c): 1834: /* No addresses permitted until a file has been read in. */ 1835: if (sp->ep == NULL && strchr("$0123456789'\\/?.+-^", *ecp->cp)) { 1836: ex_badaddr(sp, NULL, A_EMPTY, NUM_OK); ... which could as well be foo(*(char*)NULL)... >How-To-Repeat: Just put into .exrc any command with address. Plain . will go. >Fix: *** ex/ex.c Thu Oct 10 18:49:46 1996 --- ex/ex.c.new Wed Nov 4 02:32:49 1998 *************** *** 2307,2313 **** * underlying file, that's the real problem. */ if (sp->ep == NULL) { ! ex_emsg(sp, cp->name, EXM_NOFILEYET); return; } --- 2307,2313 ---- * underlying file, that's the real problem. */ if (sp->ep == NULL) { ! ex_emsg(sp, cp ? cp->name : NULL, EXM_NOFILEYET); return; } >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message