Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 1 Dec 1995 03:44:48 -0500
From:      john hood <cgull@smoke.marlboro.vt.us>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/858: sh dumps core on uninitialized memory in editline
Message-ID:  <199512010844.DAA04115@smoke.marlboro.vt.us>
Resent-Message-ID: <199512010850.AAA18114@freefall.freebsd.org>
index | next in thread | raw e-mail 


>Number:         858
>Category:       bin
>Synopsis:       sh dumps core on uninitialized memory in editline
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec  1 00:50:03 PST 1995
>Last-Modified:
>Originator:     john hood
>Organization:
>Release:        FreeBSD 2.0-BUILT-19950603 i386
>Environment:

standard binary distribution of freebsd 2.0.5.  bug also verified with
freebsd 2.1 boot and fixit floppies.

>Description:

editline will dereference an uninitialized pointer under certain
circumstances.  the memory pointer in question only gets stomped by
certain malloc/free usage patterns, though, so this is apparently not
a common problem.

>How-To-Repeat:

------------------------------8<------------------------------
#!/bin/sh
DIR=/tmp

cd $DIR

cat > .profile <<\Bonk
#!/bin/sh
set -x
# 57 slashes ok, 58 kills something
//////////////////////////////////////////////////////////
set -o ignoreeof
set -o emacs  # sh core dumps on this command
echo "Made it!"
Bonk

ln -s /bin/sh ./-sh

HOME=$DIR

PATH=.:$PATH

-sh
------------------------------8<------------------------------


>Fix:
	
*** /usr/src/lib/libedit/term.c	Tue May 30 01:43:15 1995
--- term.c	Wed Nov 29 17:03:20 1995
***************
*** 310,315 ****
--- 310,316 ----
      el->el_term.t_buf = (char *)  el_malloc(TC_BUFSIZE);
      el->el_term.t_cap = (char *)  el_malloc(TC_BUFSIZE);
      el->el_term.t_fkey = (fkey_t *) el_malloc(4 * sizeof(fkey_t));
+     (void) memset(el->el_term.t_fkey, 0, 4 * sizeof(fkey_t));
      el->el_term.t_loc = 0;
      el->el_term.t_str = (char **) el_malloc(T_str * sizeof(char*));
      (void) memset(el->el_term.t_str, 0, T_str * sizeof(char*));


>Audit-Trail:
>Unformatted:
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199512010844.DAA04115>