Date: Wed, 20 Nov 2002 16:54:15 GMT From: David Jones <drj@pobox.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/45529: hexdump core-dumps with certain args [PATCH] Message-ID: <200211201654.gAKGsFu64032@topcat.zoonami.com>
next in thread | raw e-mail | index | archive | help
>Number: 45529
>Category: bin
>Synopsis: hexdump core-dumps with certain args [PATCH]
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Nov 20 08:50:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: David Jones
>Release: FreeBSD 4.3-RELEASE i386
>Organization:
>Environment:
System: FreeBSD topcat.zoonami.com 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Thu Nov 1 14:13:13 GMT 2001 root@topcat.zoonami.com:/usr/src/sys/compile/GENERIC i386
>Description:
These bugs exists on FreeBSD 4.3 and also on the version that I checked
out from CVS on 2002-11-19 (ie, the latest version).
As far as I can tell this is valid input (but it core dumps):
$ : problem 1
$ hexdump -e '/1 "\\%03o"'
segmentation violation--core dumped
$ hexdump -e '/1 "\t%03o"'
segmentation violation--core dumped
Also, the following has an erroneous error message:
$ : problem 2
$ hexdump -e '/1 "\%o"'
hexdump: %%: bad conversion character
I don't think the following is a valid format, but it shouldn't dump core
(it's worth testing a couple of variations as they exercise differnt
paths through the code):
$ : problem 3
$ hexdump -e '/1 "%03"'
segmentation violation--core dumped
$ hexdump -e '"%"'
segmentation violation--core dumped
=== Analysis ===
problem 1 and problem 2 are due to bugs in the "escape" routine in
parse.c. It is supposed to handle backslash escapes but due to buggy
coding doesn't (critically, it doesn't have a default action to copy
characters across, it only copies characters that follow a backslash, or
the final NUL).
problem 3 is due to incorrect string scanning using index in the
routines "size" and "rewrite".
Supplied patches fixes these things.
>How-To-Repeat:
As above, any/all of the following:
$ hexdump -e '"%"'
$ hexdump -e '/1 "%03"'
$ hexdump -e '/1 "\%o"'
$ hexdump -e '/1 "\t%03o"'
$ hexdump -e '/1 "\\%03o"'
>Fix:
diff -ru hexdump-20021119/hexdump.h hexdump/hexdump.h
--- hexdump-20021119/hexdump.h Wed Sep 4 23:29:01 2002
+++ hexdump/hexdump.h Wed Nov 20 15:34:33 2002
@@ -86,6 +86,7 @@
void badcnt(char *);
void badconv(char *);
void badfmt(const char *);
+void badnulconv(void);
void badsfmt(void);
void bpad(PR *);
void conv_c(PR *, u_char *);
diff -ru hexdump-20021119/parse.c hexdump/parse.c
--- hexdump-20021119/parse.c Wed Sep 4 23:29:01 2002
+++ hexdump/parse.c Wed Nov 20 15:55:06 2002
@@ -172,7 +172,7 @@
* skip any special chars -- save precision in
* case it's a %s format.
*/
- while (index(spec + 1, *++fmt));
+ while (index(spec + 1, *++fmt) && *fmt);
if (*fmt == '.' && isdigit(*++fmt)) {
prec = atoi(fmt);
while (isdigit(*++fmt));
@@ -244,10 +244,10 @@
if (fu->bcnt) {
sokay = USEBCNT;
/* Skip to conversion character. */
- for (++p1; index(spec, *p1); ++p1);
+ for (++p1; index(spec, *p1) && *p1; ++p1);
} else {
/* Skip any special chars, field width. */
- while (index(spec + 1, *++p1));
+ while (index(spec + 1, *++p1) && *p1);
if (*p1 == '.' && isdigit(*++p1)) {
sokay = USEPREC;
prec = atoi(p1);
@@ -266,6 +266,9 @@
* padding for end of data.
*/
switch(cs[0]) {
+ case '\0':
+ badnulconv();
+ /* NOTREACHED */
case 'c':
pr->flags = F_CHAR;
switch(fu->bcnt) {
@@ -451,8 +454,8 @@
/* alphabetic escape sequences have to be done in place */
for (p2 = p1;; ++p1, ++p2) {
+ *p2 = *p1;
if (!*p1) {
- *p2 = *p1;
break;
}
if (*p1 == '\\')
@@ -508,4 +511,10 @@
badconv(char *ch)
{
errx(1, "%%%s: bad conversion character", ch);
+}
+
+void
+badnulconv(void)
+{
+ errx(1, "expected conversion character after %% specifier");
}
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211201654.gAKGsFu64032>