Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 26 Mar 2018 13:30:12 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 226948] [PATCH] usr.bin/apply: segmentation fault with blank magic character
Message-ID:  <bug-226948-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226948

            Bug ID: 226948
           Summary: [PATCH] usr.bin/apply: segmentation fault with blank
                    magic character
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: tobias@stoeckmann.org

Created attachment 191838
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D191838&action=
=3Dedit
Patch to fix the issue

I have encountered and fixed an issue when the magic character ' ' is used.

apply(1) checks for magic numbers to substitue. These magic numbers are used
for argument substitution. You could write a command like

$ apply '2to3 %1 %2' test1.py test2.py

Which would run "2to3 test1.py test2.py". The magic character '%' can be
replaced with the option -a. In my case, I replace it with ' '.

The issue is that check for magic numbers and actual replacement happen in =
two
different parts of the code. Between them, the command is prepended with "e=
xec
", which is used for the shell invocation later on.

The bug is triggered with an invocation like this:

$ apply -a ' ' 2to3 test.py
Segmentation fault (core dumped)
$ _

The check for magic numbers is negative, because "2to3" has no magic number.
But right after the check, it's extended to "exec 2to3". As I changed the m=
agic
character from '%' to ' ', suddenly it DOES contain a magic number.

The code does not properly verify afterwards if enough arguments have been
supplied and tries to access argv[2], which is NULL. The command crashes.

This patch is based on my merge attempt of a previous FreeBSD bug into Open=
BSD.
You can see the discussion and OpenBSD's version of the patch here:

https://marc.info/?l=3Dopenbsd-tech&m=3D152180028615405&w=3D2

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-226948-8>