From owner-freebsd-bugs@freebsd.org Mon Mar 26 13:30:13 2018 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A6942F6CF34 for ; Mon, 26 Mar 2018 13:30:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 403207DA26 for ; Mon, 26 Mar 2018 13:30:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 72FCF1D639 for ; Mon, 26 Mar 2018 13:30:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w2QDUC7i099496 for ; Mon, 26 Mar 2018 13:30:12 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w2QDUCLl099495 for freebsd-bugs@FreeBSD.org; Mon, 26 Mar 2018 13:30:12 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 226948] [PATCH] usr.bin/apply: segmentation fault with blank magic character Date: Mon, 26 Mar 2018 13:30:12 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: tobias@stoeckmann.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2018 13:30:14 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226948 Bug ID: 226948 Summary: [PATCH] usr.bin/apply: segmentation fault with blank magic character Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: tobias@stoeckmann.org Created attachment 191838 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D191838&action= =3Dedit Patch to fix the issue I have encountered and fixed an issue when the magic character ' ' is used. apply(1) checks for magic numbers to substitue. These magic numbers are used for argument substitution. You could write a command like $ apply '2to3 %1 %2' test1.py test2.py Which would run "2to3 test1.py test2.py". The magic character '%' can be replaced with the option -a. In my case, I replace it with ' '. The issue is that check for magic numbers and actual replacement happen in = two different parts of the code. Between them, the command is prepended with "e= xec ", which is used for the shell invocation later on. The bug is triggered with an invocation like this: $ apply -a ' ' 2to3 test.py Segmentation fault (core dumped) $ _ The check for magic numbers is negative, because "2to3" has no magic number. But right after the check, it's extended to "exec 2to3". As I changed the m= agic character from '%' to ' ', suddenly it DOES contain a magic number. The code does not properly verify afterwards if enough arguments have been supplied and tries to access argv[2], which is NULL. The command crashes. This patch is based on my merge attempt of a previous FreeBSD bug into Open= BSD. You can see the discussion and OpenBSD's version of the patch here: https://marc.info/?l=3Dopenbsd-tech&m=3D152180028615405&w=3D2 --=20 You are receiving this mail because: You are the assignee for the bug.=