Date: Wed, 20 Nov 2002 16:54:15 GMT From: David Jones <drj@pobox.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/45529: hexdump core-dumps with certain args [PATCH] Message-ID: <200211201654.gAKGsFu64032@topcat.zoonami.com>
next in thread | raw e-mail | index | archive | help
>Number: 45529 >Category: bin >Synopsis: hexdump core-dumps with certain args [PATCH] >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Nov 20 08:50:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: David Jones >Release: FreeBSD 4.3-RELEASE i386 >Organization: >Environment: System: FreeBSD topcat.zoonami.com 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Thu Nov 1 14:13:13 GMT 2001 root@topcat.zoonami.com:/usr/src/sys/compile/GENERIC i386 >Description: These bugs exists on FreeBSD 4.3 and also on the version that I checked out from CVS on 2002-11-19 (ie, the latest version). As far as I can tell this is valid input (but it core dumps): $ : problem 1 $ hexdump -e '/1 "\\%03o"' segmentation violation--core dumped $ hexdump -e '/1 "\t%03o"' segmentation violation--core dumped Also, the following has an erroneous error message: $ : problem 2 $ hexdump -e '/1 "\%o"' hexdump: %%: bad conversion character I don't think the following is a valid format, but it shouldn't dump core (it's worth testing a couple of variations as they exercise differnt paths through the code): $ : problem 3 $ hexdump -e '/1 "%03"' segmentation violation--core dumped $ hexdump -e '"%"' segmentation violation--core dumped === Analysis === problem 1 and problem 2 are due to bugs in the "escape" routine in parse.c. It is supposed to handle backslash escapes but due to buggy coding doesn't (critically, it doesn't have a default action to copy characters across, it only copies characters that follow a backslash, or the final NUL). problem 3 is due to incorrect string scanning using index in the routines "size" and "rewrite". Supplied patches fixes these things. >How-To-Repeat: As above, any/all of the following: $ hexdump -e '"%"' $ hexdump -e '/1 "%03"' $ hexdump -e '/1 "\%o"' $ hexdump -e '/1 "\t%03o"' $ hexdump -e '/1 "\\%03o"' >Fix: diff -ru hexdump-20021119/hexdump.h hexdump/hexdump.h --- hexdump-20021119/hexdump.h Wed Sep 4 23:29:01 2002 +++ hexdump/hexdump.h Wed Nov 20 15:34:33 2002 @@ -86,6 +86,7 @@ void badcnt(char *); void badconv(char *); void badfmt(const char *); +void badnulconv(void); void badsfmt(void); void bpad(PR *); void conv_c(PR *, u_char *); diff -ru hexdump-20021119/parse.c hexdump/parse.c --- hexdump-20021119/parse.c Wed Sep 4 23:29:01 2002 +++ hexdump/parse.c Wed Nov 20 15:55:06 2002 @@ -172,7 +172,7 @@ * skip any special chars -- save precision in * case it's a %s format. */ - while (index(spec + 1, *++fmt)); + while (index(spec + 1, *++fmt) && *fmt); if (*fmt == '.' && isdigit(*++fmt)) { prec = atoi(fmt); while (isdigit(*++fmt)); @@ -244,10 +244,10 @@ if (fu->bcnt) { sokay = USEBCNT; /* Skip to conversion character. */ - for (++p1; index(spec, *p1); ++p1); + for (++p1; index(spec, *p1) && *p1; ++p1); } else { /* Skip any special chars, field width. */ - while (index(spec + 1, *++p1)); + while (index(spec + 1, *++p1) && *p1); if (*p1 == '.' && isdigit(*++p1)) { sokay = USEPREC; prec = atoi(p1); @@ -266,6 +266,9 @@ * padding for end of data. */ switch(cs[0]) { + case '\0': + badnulconv(); + /* NOTREACHED */ case 'c': pr->flags = F_CHAR; switch(fu->bcnt) { @@ -451,8 +454,8 @@ /* alphabetic escape sequences have to be done in place */ for (p2 = p1;; ++p1, ++p2) { + *p2 = *p1; if (!*p1) { - *p2 = *p1; break; } if (*p1 == '\\') @@ -508,4 +511,10 @@ badconv(char *ch) { errx(1, "%%%s: bad conversion character", ch); +} + +void +badnulconv(void) +{ + errx(1, "expected conversion character after %% specifier"); } >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211201654.gAKGsFu64032>