From owner-freebsd-bugs@FreeBSD.ORG  Sat Nov  1 19:32:57 2003
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id C107716A4CF; Sat,  1 Nov 2003 19:32:57 -0800 (PST)
Received: from smtp02.syd.iprimus.net.au (smtp02.syd.iprimus.net.au
	[210.50.76.52])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 15F2243FA3; Sat,  1 Nov 2003 19:32:57 -0800 (PST)
	(envelope-from tjr@freebsd.org)
Received: from freebsd.org (210.50.38.19) by smtp02.syd.iprimus.net.au
	(7.0.020)        id 3F8F522A00528788; Sun, 2 Nov 2003 14:32:56 +1100
Message-ID: <3FA47BA1.9010700@freebsd.org>
Date: Sun, 02 Nov 2003 14:36:01 +1100
From: Tim Robbins <tjr@freebsd.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
	rv:1.5) Gecko/20031007
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Kris Kennaway <kris@FreeBSD.org>
References: <200311020058.hA20w3rM082485@freefall.freebsd.org>
In-Reply-To: <200311020058.hA20w3rM082485@freefall.freebsd.org>
Content-Type: multipart/mixed;
 boundary="------------080802000204060704000602"
cc: freebsd-bugs@FreeBSD.org
cc: Eugene Grosbein <eugen@grosbein.pp.ru>
Subject: Re: bin/58813: Incorrect behavour of sed(1)
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Nov 2003 03:32:57 -0000

This is a multi-part message in MIME format.
--------------080802000204060704000602
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Kris Kennaway wrote:

>Synopsis: Incorrect behavour of sed(1)
>
>Responsible-Changed-From-To: freebsd-bugs->tjr
>Responsible-Changed-By: kris
>Responsible-Changed-When: Sat Nov 1 16:57:45 PST 2003
>Responsible-Changed-Why: 
>tjr has done a lot of work on sed, perhaps he will be interested
>in fixing this.
>
>http://www.freebsd.org/cgi/query-pr.cgi?pr=58813
>  
>
Please try the attached patch. It fixes a buffer management bug that was 
causing heap corruption. The patch is against -current, but it should 
apply cleanly to 4.9.
(http://perforce.freebsd.org/chv.cgi?CH=41082)


Tim

--------------080802000204060704000602
Content-Type: text/plain;
 name="sed.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="sed.diff"

--- process.c.old	Sun Nov  2 14:27:26 2003
+++ process.c	Sun Nov  2 14:24:28 2003
@@ -557,7 +557,8 @@
 	char c, *dst;
 
 #define	NEEDSP(reqlen)							\
-	if (sp->len >= sp->blen - (reqlen) - 1) {			\
+	/* XXX What is the +1 for? */					\
+	if (sp->len + (reqlen) + 1 >= sp->blen) {			\
 		sp->blen += (reqlen) + 1024;				\
 		if ((sp->space = sp->back = realloc(sp->back, sp->blen)) \
 		    == NULL)						\

--------------080802000204060704000602--