Bug 137707
| Summary: | -CURRENT ee(1) segfaults when seeking to an out-of-bound line number | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | deeptech71 <deeptech71> | ||||
| Component: | bin | Assignee: | Xin LI <delphij> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | Unspecified | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
|
Description
deeptech71@gmail.com
2009-08-13 01:40:08 UTC
The version of ee.c in contrib/ee initialize char *direction to NULL,
the value of this pointer is then calculated depending on if the
cursor should move up and down. Without any next lines, the pointer
is never initialized before fed to strcmp() which segfaults on
the NULL pointer.
This bug is only triggered if the cursor is at the last line and
one attempts to move down.
To minimize the changes of the contrib source it's easiest to
just initialize direction to "d", this should have no impact
as the pointer is changed when possible and moving "down" 0 lines
has no effect.
CCed the upstream author as the sources in the tree (1.5.0)
looks identical in this aspect.
Hugh, any particular reason direction isn't just a char? I might
be missing something but it seems it's only used with lines containing
one character only.
Fredrik
Program received signal SIGSEGV, Segmentation fault.
0x281a4ec8 in strcmp () from /lib/libc.so.7
#1 0x0804cda6 in goto_line (cmd_str=0x28217102 "2")
at /usr/home/fli/work/freebsd/src/usr.bin/ee/../../contrib/ee/ee.c:2027
2027 if (!strcmp(direction, "d"))
(gdb) print direction
$1 = 0x0
(gdb) print number
$4 = 2
(gdb) print t_line->line_number
$5 = 1
(gdb) print t_line->next_line
$6 = (struct text *) 0x0
patch has been committed to HEAD by delphij@ (r199123). needs to be mfc'ed to 8-stable and maybe 8.0 (if re@ approves). afaic 7-stable and 6-stable still run ee 1.4.x. originator reports that the problem doesn't exist in the ee 1.4 branch. please mark pr patched. thanks. alex State Changed From-To: open->patched A patch has been committed against -HEAD to address this issue. The current plan is to MFC the change to 8-STABLE next week, but probably not 8.0-RELEASE since we are already late with the release. Responsible Changed From-To: freebsd-bugs->delphij Take since I have committed the change. State Changed From-To: patched->closed Patch has been applied against 8-STABLE. This is not applicable for 7.x so I think this ticket can be closed. Author: delphij Date: Mon Dec 14 22:38:51 2009 New Revision: 200556 URL: http://svn.freebsd.org/changeset/base/200556 Log: MFC r199123: Add a minimal change to prevent NULL deference in ee(1). To repeat the problem, one can press "Ctrl+C" and then enter "0". Submitted by: Alexander Best <alexbestms wwu de> PR: bin/137707 Modified: stable/8/contrib/ee/ee.c Directory Properties: stable/8/contrib/ee/ (props changed) Modified: stable/8/contrib/ee/ee.c ============================================================================== --- stable/8/contrib/ee/ee.c Mon Dec 14 22:30:07 2009 (r200555) +++ stable/8/contrib/ee/ee.c Mon Dec 14 22:38:51 2009 (r200556) @@ -1993,7 +1993,7 @@ char *cmd_str; int number; int i; char *ptr; - char *direction = NULL; + char *direction = "d"; struct text *t_line; ptr = cmd_str; _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" |
