Date: Mon, 25 Apr 2005 23:43:43 GMT From: "Wojciech A. Koszek" <dunstan@freebsd.czest.pl> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/80348: rs(1) handles command line arguments improperly (SIGSEGV) Message-ID: <200504252343.j3PNhgar003501@freebsd.czest.pl> Resent-Message-ID: <200504252340.j3PNeHoS053961@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 80348
>Category: bin
>Synopsis: rs(1) handles command line arguments improperly (SIGSEGV)
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Apr 25 23:40:17 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Wojciech A. Koszek
>Release: FreeBSD 5.4-STABLE i386
>Organization:
>Environment:
System: FreeBSD dunstan.freebsd.czest.pl 5.4-STABLE FreeBSD 5.4-STABLE #8: Sat Apr 16 16:26:40 CEST 2005 dunstan@dunstan.freebsd.czest.pl:/usr/obj/usr/src/sys/HOME8 i386
>Description:
rs(1) takes number of rows and columns from command line. Due the lack of
validity checking, it has problems with handling malicious values.
>How-To-Repeat:
$ echo test | rs 1 -99999999999
zsh: done echo test |
zsh: segmentation fault (core dumped) rs 1 -99999999999
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
Core was generated by `rs'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.5...done.
Loaded symbols for /lib/libc.so.5
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0 0x0804936b in prepfile () at /usr/src/usr.bin/rs/rs.c:324
324 colwidths[ocols - 1] = 0;
(gdb) bt
#0 0x0804936b in prepfile () at /usr/src/usr.bin/rs/rs.c:324
#1 0x0804891c in main (argc=3, argv=0xbfbfe420) at
/usr/src/usr.bin/rs/rs.c:122
(gdb) f 0
#0 0x0804936b in prepfile () at /usr/src/usr.bin/rs/rs.c:324
324 colwidths[ocols - 1] = 0;
(gdb) f 1
#1 0x0804891c in main (argc=3, argv=0xbfbfe420) at
/usr/src/usr.bin/rs/rs.c:122
122 prepfile();
(gdb) l
117 getfile();
118 if (flags & SHAPEONLY) {
119 printf("%d %d\n", irows, icols);
120 exit(0);
121 }
122 prepfile();
123 putfile();
124 exit(0);
125 }
126
(gdb) f 0
#0 0x0804936b in prepfile () at /usr/src/usr.bin/rs/rs.c:324
324 colwidths[ocols - 1] = 0;
(gdb) list
319 colwidths[i] = colw;
320 if (!(flags & NOTRIMENDCOL)) {
321 if (flags & RIGHTADJUST)
322 colwidths[0] -= gutter;
323 else
324 colwidths[ocols - 1] = 0;
325 }
326 n = orows * ocols;
327 if (n > nelem && (flags & RECYCLE))
328 nelem = n;
(gdb) quit
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504252343.j3PNhgar003501>