From owner-freebsd-bugs Sun Feb 10 18:30:10 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 46ED337B416 for ; Sun, 10 Feb 2002 18:30:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g1B2U1v78463; Sun, 10 Feb 2002 18:30:01 -0800 (PST) (envelope-from gnats) Received: from descent.robbins.dropbear.id.au (090.a.005.mel.iprimus.net.au [210.50.40.90]) by hub.freebsd.org (Postfix) with ESMTP id 1274737B402 for ; Sun, 10 Feb 2002 18:29:46 -0800 (PST) Received: (from tim@localhost) by descent.robbins.dropbear.id.au (8.11.6/8.11.6) id g1B2TsY28465; Mon, 11 Feb 2002 13:29:54 +1100 (EST) (envelope-from tim) Message-Id: <200202110229.g1B2TsY28465@descent.robbins.dropbear.id.au> Date: Mon, 11 Feb 2002 13:29:54 +1100 (EST) From: Tim Robbins Reply-To: Tim Robbins To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: bin/34813: [PATCH] sed dumps core on "unusual" scripts Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 34813 >Category: bin >Synopsis: [PATCH] sed dumps core on "unusual" scripts >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Feb 10 18:30:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Tim Robbins >Release: FreeBSD 4.5-STABLE i386 >Organization: >Environment: System: FreeBSD descent.robbins.dropbear.id.au 4.5-STABLE FreeBSD 4.5-STABLE #3: Thu Feb 7 01:39:15 EST 2002 tim@descent.robbins.dropbear.id.au:/usr/obj/usr/src/sys/DESCENT i386 >Description: Refer to keoki's post to the vuln-dev list, archived here: http://marc.theaimsgroup.com/?l=vuln-dev&m=101301566910174&w=2 Essentially: A problem exist in FreeBSD's version of SED, that when you specify last line and do not get contents of hold area and then delete the first part of a pattern space against a file which contains two lines or more, it results in a Segmentation fault "coredump". >How-To-Repeat: From keoki's post: [keoki@jeff:~/test] for i in 1 2; do echo "blah" >> example; done [keoki@jeff:~/test] sed '$!g; D' example Segmentation fault (core dumped) [keoki@jeff:~/test] sed '$g; D' example Segmentation fault (core dumped) [keoki@jeff:~/test] I have verified that this affects 4.5-STABLE and -CURRENT. >Fix: 1 was being subtracted from 0 of an unsigned type, causing it to wrap back around to ~0. This was used as a buffer length, causing sed to examine more memory than it should and eventually segfault. Index: sed/process.c =================================================================== RCS file: /home/ncvs/src/usr.bin/sed/process.c,v retrieving revision 1.12 diff -u -r1.12 process.c --- sed/process.c 2001/12/12 23:20:16 1.12 +++ sed/process.c 2002/02/11 01:26:39 @@ -136,7 +136,8 @@ case 'D': if (pd) goto new; - if ((p = memchr(ps, '\n', psl - 1)) == NULL) { + if (psl == 0 || + (p = memchr(ps, '\n', psl - 1)) == NULL) { pd = 1; goto new; } else { @@ -186,7 +187,8 @@ case 'P': if (pd) break; - if ((p = memchr(ps, '\n', psl - 1)) != NULL) { + if (psl != 0 && + (p = memchr(ps, '\n', psl - 1)) != NULL) { oldpsl = psl; psl = (p + 1) - ps; } @@ -238,7 +240,7 @@ HS = tspace; break; case 'y': - if (pd) + if (pd || psl == 0) break; for (p = ps, len = psl; --len; ++p) *p = cp->u.y[(unsigned char)*p]; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message