From owner-freebsd-bugs@FreeBSD.ORG Sat Jan 30 17:30:02 2010 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92FCE1065676 for ; Sat, 30 Jan 2010 17:30:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 56D068FC0C for ; Sat, 30 Jan 2010 17:30:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o0UHU26P013102 for ; Sat, 30 Jan 2010 17:30:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o0UHU2IB013101; Sat, 30 Jan 2010 17:30:02 GMT (envelope-from gnats) Resent-Date: Sat, 30 Jan 2010 17:30:02 GMT Resent-Message-Id: <201001301730.o0UHU2IB013101@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Mikolaj Golub Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20C3010656A7 for ; Sat, 30 Jan 2010 17:22:06 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id E54B18FC08 for ; Sat, 30 Jan 2010 17:22:05 +0000 (UTC) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o0UHM5U8073143 for ; Sat, 30 Jan 2010 17:22:05 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id o0UHM5AS073142; Sat, 30 Jan 2010 17:22:05 GMT (envelope-from nobody) Message-Id: <201001301722.o0UHM5AS073142@www.freebsd.org> Date: Sat, 30 Jan 2010 17:22:05 GMT From: Mikolaj Golub To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: bin/143375: [patch] awk(1) trashes memory with regexp and ^ anchor X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jan 2010 17:30:02 -0000 >Number: 143375 >Category: bin >Synopsis: [patch] awk(1) trashes memory with regexp and ^ anchor >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jan 30 17:30:01 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Mikolaj Golub >Release: 8.0-STABLE, 7.2-STABLE >Organization: >Environment: FreeBSD zhuzha.ua1 8.0-STABLE FreeBSD 8.0-STABLE #6: Sun Jan 24 21:36:17 EET 2010 root@zhuzha.ua1:/usr/obj/usr/src/sys/GENERIC i386 >Description: This problem with awk(1) regexp and ^ anchor trashing memory was reported to NetBSD by Nicolas Joly and it was fixed there. http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=40689 This script trashes the memory: awk '/^root:/' /etc/passwd >How-To-Repeat: zhuzha:/usr/src/contrib/one-true-awk% CFLAGS=-g make zhuzha:/usr/src/contrib/one-true-awk% gdb a.out GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd"... (gdb) b b.c:927 Breakpoint 1 at 0x804e15b: file b.c, line 927. (gdb) run '/^root:/' /etc/passwd Starting program: /usr/src/contrib/one-true-awk/a.out '/^root:/' /etc/passwd Breakpoint 1, cgoto (f=0x28239000, s=2, c=261) at b.c:927 927 f->gototab[s][c] = f->curstat; (gdb) pt f->gototab type = unsigned char [32][259] (gdb) p c $1 = 261 (gdb) (gdb) list b.c:927 922 xfree(f->posns[f->curstat]); 923 if ((p = (int *) calloc(1, (setcnt+1)*sizeof(int))) == NULL) 924 overflo("out of space in cgoto"); 925 926 f->posns[f->curstat] = p; 927 f->gototab[s][c] = f->curstat; 928 for (i = 0; i <= setcnt; i++) 929 p[i] = tmpset[i]; 930 if (setvec[f->accept]) 931 f->out[f->curstat] = 1; >Fix: See the attached patch adopted from NetBSD (PR/40689: Nicolas Joly: awk(1) trashes memory with RE and ^ anchor. Another place to special-case HAT.). Patch attached with submission follows: --- contrib/one-true-awk.orig/b.c 2007-06-05 18:33:51.000000000 +0300 +++ contrib/one-true-awk/b.c 2010-01-30 19:19:22.000000000 +0200 @@ -924,7 +924,8 @@ overflo("out of space in cgoto"); f->posns[f->curstat] = p; - f->gototab[s][c] = f->curstat; + if (c != HAT) + f->gototab[s][c] = f->curstat; for (i = 0; i <= setcnt; i++) p[i] = tmpset[i]; if (setvec[f->accept]) >Release-Note: >Audit-Trail: >Unformatted: