From owner-freebsd-bugs Fri Dec 1 00:50:13 1995 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id AAA18141 for bugs-outgoing; Fri, 1 Dec 1995 00:50:13 -0800 Received: (from gnats@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id AAA18114 ; Fri, 1 Dec 1995 00:50:07 -0800 Resent-Date: Fri, 1 Dec 1995 00:50:07 -0800 Resent-Message-Id: <199512010850.AAA18114@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, cgull@smoke.marlboro.vt.us Received: from smoke.marlboro.vt.us (smoke.marlboro.vt.us [198.206.215.91]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id AAA16883 for ; Fri, 1 Dec 1995 00:45:49 -0800 Received: (from cgull@localhost) by smoke.marlboro.vt.us (8.6.*cough-wheeze*/8.6.9) id DAA04115; Fri, 1 Dec 1995 03:44:48 -0500 Message-Id: <199512010844.DAA04115@smoke.marlboro.vt.us> Date: Fri, 1 Dec 1995 03:44:48 -0500 From: john hood Reply-To: cgull@smoke.marlboro.vt.us To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/858: sh dumps core on uninitialized memory in editline Sender: owner-bugs@freebsd.org Precedence: bulk >Number: 858 >Category: bin >Synopsis: sh dumps core on uninitialized memory in editline >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Dec 1 00:50:03 PST 1995 >Last-Modified: >Originator: john hood >Organization: >Release: FreeBSD 2.0-BUILT-19950603 i386 >Environment: standard binary distribution of freebsd 2.0.5. bug also verified with freebsd 2.1 boot and fixit floppies. >Description: editline will dereference an uninitialized pointer under certain circumstances. the memory pointer in question only gets stomped by certain malloc/free usage patterns, though, so this is apparently not a common problem. >How-To-Repeat: ------------------------------8<------------------------------ #!/bin/sh DIR=/tmp cd $DIR cat > .profile <<\Bonk #!/bin/sh set -x # 57 slashes ok, 58 kills something ////////////////////////////////////////////////////////// set -o ignoreeof set -o emacs # sh core dumps on this command echo "Made it!" Bonk ln -s /bin/sh ./-sh HOME=$DIR PATH=.:$PATH -sh ------------------------------8<------------------------------ >Fix: *** /usr/src/lib/libedit/term.c Tue May 30 01:43:15 1995 --- term.c Wed Nov 29 17:03:20 1995 *************** *** 310,315 **** --- 310,316 ---- el->el_term.t_buf = (char *) el_malloc(TC_BUFSIZE); el->el_term.t_cap = (char *) el_malloc(TC_BUFSIZE); el->el_term.t_fkey = (fkey_t *) el_malloc(4 * sizeof(fkey_t)); + (void) memset(el->el_term.t_fkey, 0, 4 * sizeof(fkey_t)); el->el_term.t_loc = 0; el->el_term.t_str = (char **) el_malloc(T_str * sizeof(char*)); (void) memset(el->el_term.t_str, 0, T_str * sizeof(char*)); >Audit-Trail: >Unformatted: