Date: Mon, 11 Feb 2002 13:29:54 +1100 (EST) From: Tim Robbins <tim@robbins.dropbear.id.au> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/34813: [PATCH] sed dumps core on "unusual" scripts Message-ID: <200202110229.g1B2TsY28465@descent.robbins.dropbear.id.au>
next in thread | raw e-mail | index | archive | help
>Number: 34813 >Category: bin >Synopsis: [PATCH] sed dumps core on "unusual" scripts >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Feb 10 18:30:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Tim Robbins >Release: FreeBSD 4.5-STABLE i386 >Organization: >Environment: System: FreeBSD descent.robbins.dropbear.id.au 4.5-STABLE FreeBSD 4.5-STABLE #3: Thu Feb 7 01:39:15 EST 2002 tim@descent.robbins.dropbear.id.au:/usr/obj/usr/src/sys/DESCENT i386 >Description: Refer to keoki's post to the vuln-dev list, archived here: http://marc.theaimsgroup.com/?l=vuln-dev&m=101301566910174&w=2 Essentially: A problem exist in FreeBSD's version of SED, that when you specify last line and do not get contents of hold area and then delete the first part of a pattern space against a file which contains two lines or more, it results in a Segmentation fault "coredump". >How-To-Repeat: From keoki's post: [keoki@jeff:~/test] for i in 1 2; do echo "blah" >> example; done [keoki@jeff:~/test] sed '$!g; D' example Segmentation fault (core dumped) [keoki@jeff:~/test] sed '$g; D' example Segmentation fault (core dumped) [keoki@jeff:~/test] I have verified that this affects 4.5-STABLE and -CURRENT. >Fix: 1 was being subtracted from 0 of an unsigned type, causing it to wrap back around to ~0. This was used as a buffer length, causing sed to examine more memory than it should and eventually segfault. Index: sed/process.c =================================================================== RCS file: /home/ncvs/src/usr.bin/sed/process.c,v retrieving revision 1.12 diff -u -r1.12 process.c --- sed/process.c 2001/12/12 23:20:16 1.12 +++ sed/process.c 2002/02/11 01:26:39 @@ -136,7 +136,8 @@ case 'D': if (pd) goto new; - if ((p = memchr(ps, '\n', psl - 1)) == NULL) { + if (psl == 0 || + (p = memchr(ps, '\n', psl - 1)) == NULL) { pd = 1; goto new; } else { @@ -186,7 +187,8 @@ case 'P': if (pd) break; - if ((p = memchr(ps, '\n', psl - 1)) != NULL) { + if (psl != 0 && + (p = memchr(ps, '\n', psl - 1)) != NULL) { oldpsl = psl; psl = (p + 1) - ps; } @@ -238,7 +240,7 @@ HS = tspace; break; case 'y': - if (pd) + if (pd || psl == 0) break; for (p = ps, len = psl; --len; ++p) *p = cp->u.y[(unsigned char)*p]; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200202110229.g1B2TsY28465>