From owner-freebsd-bugs@FreeBSD.ORG  Mon Apr 25 23:40:18 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5661516A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 25 Apr 2005 23:40:18 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D5EE443D39
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 25 Apr 2005 23:40:17 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j3PNeHrW053964
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 25 Apr 2005 23:40:17 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j3PNeHoS053961;
	Mon, 25 Apr 2005 23:40:17 GMT
	(envelope-from gnats)
Resent-Date: Mon, 25 Apr 2005 23:40:17 GMT
Resent-Message-Id: <200504252340.j3PNeHoS053961@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	"Wojciech A. Koszek" <dunstan@freebsd.czest.pl>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B534F16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 25 Apr 2005 23:34:11 +0000 (GMT)
Received: from freebsd.czest.pl (silver.iplus.pl [80.48.250.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CB3CB43D2D
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 25 Apr 2005 23:34:10 +0000 (GMT)
	(envelope-from dunstan@freebsd.czest.pl)
Received: from freebsd.czest.pl (freebsd.czest.pl [80.48.250.4])
	by freebsd.czest.pl (8.12.10/8.12.9) with ESMTP id j3PNhhMG003502
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 25 Apr 2005 23:43:43 GMT
	(envelope-from dunstan@freebsd.czest.pl)
Received: (from dunstan@localhost)
	by freebsd.czest.pl (8.12.10/8.12.9/Submit) id j3PNhgar003501;
	Mon, 25 Apr 2005 23:43:43 GMT
	(envelope-from dunstan)
Message-Id: <200504252343.j3PNhgar003501@freebsd.czest.pl>
Date: Mon, 25 Apr 2005 23:43:43 GMT
From: "Wojciech A. Koszek" <dunstan@freebsd.czest.pl>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: 
	bin/80348: rs(1) handles command line arguments improperly (SIGSEGV)
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: "Wojciech A. Koszek" <dunstan@freebsd.czest.pl>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2005 23:40:18 -0000


>Number:         80348
>Category:       bin
>Synopsis:       rs(1) handles command line arguments improperly (SIGSEGV)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 25 23:40:17 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Wojciech A. Koszek
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
>Environment:
System: FreeBSD dunstan.freebsd.czest.pl 5.4-STABLE FreeBSD 5.4-STABLE #8: Sat Apr 16 16:26:40 CEST 2005 dunstan@dunstan.freebsd.czest.pl:/usr/obj/usr/src/sys/HOME8 i386

>Description:
rs(1) takes number of rows and columns from command line. Due the lack of
validity checking, it has problems with handling malicious values.

>How-To-Repeat:

$ echo test | rs 1 -99999999999
zsh: done                              echo test | 
zsh: segmentation fault (core dumped)  rs 1 -99999999999

Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
Core was generated by `rs'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.5...done.
Loaded symbols for /lib/libc.so.5
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  0x0804936b in prepfile () at /usr/src/usr.bin/rs/rs.c:324
324                             colwidths[ocols - 1] = 0;
(gdb) bt
#0  0x0804936b in prepfile () at /usr/src/usr.bin/rs/rs.c:324
#1  0x0804891c in main (argc=3, argv=0xbfbfe420) at
/usr/src/usr.bin/rs/rs.c:122
(gdb) f 0
#0  0x0804936b in prepfile () at /usr/src/usr.bin/rs/rs.c:324
324                             colwidths[ocols - 1] = 0;
(gdb) f 1
#1  0x0804891c in main (argc=3, argv=0xbfbfe420) at
/usr/src/usr.bin/rs/rs.c:122
122             prepfile();
(gdb) l   
117             getfile();
118             if (flags & SHAPEONLY) {
119                     printf("%d %d\n", irows, icols);
120                     exit(0);
121             }
122             prepfile();
123             putfile();
124             exit(0);
125     }
126     
(gdb) f 0
#0  0x0804936b in prepfile () at /usr/src/usr.bin/rs/rs.c:324
324                             colwidths[ocols - 1] = 0;
(gdb) list
319                             colwidths[i] = colw;
320             if (!(flags & NOTRIMENDCOL)) {
321                     if (flags & RIGHTADJUST)
322                             colwidths[0] -= gutter;
323                     else
324                             colwidths[ocols - 1] = 0;
325             }
326             n = orows * ocols;
327             if (n > nelem && (flags & RECYCLE))
328                     nelem = n;
(gdb) quit

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: