Re: Bug report on freebsd-buildutils: mtree crashes with exit status 139

[Steven Chamberlain <steven@pyro.eu.org>]

Having looked at the cause of this, a reduced testcase is:

#\
oops

mtree's specfile parser does not handle a continuation character
in a comment, if it appears on the first line of the specfile.  It
triggers a NULL pointer dereference.

I have a lot of respect for the Mayhem tool now as a way to find
corner cases in simple C parsers.  I'm sure the team at CMU's project
will find some very real bugs in Debian.  If applied to setuid
binaries and network daemons there will likely be some security bugs
found and fixed.

To fix this bug in mtree I suggest ignoring continuation characters
on comment lines, as it is not a documented that they should work
anyway:

--- freebsd-buildutils-9.0.orig/src/usr.sbin/mtree/spec.c       2013-06-27 19:11:08.000000000 +0000
+++ freebsd-buildutils-9.0/src/usr.sbin/mtree/spec.c    2013-06-27 20:34:30.390244550 +0000
@@ -89,8 +89,12 @@
                for (p = buf; *p && isspace(*p); ++p);
 
                /* If nothing but whitespace or comment char, continue. */
-               if (!*p || *p == '#')
+               if (!*p || *p == '#') {
+                       /* Ignore continuation character, if any */
+                       if (*p == '#')
+                               c_next = 0;
                        continue;
+               }
 
 #ifdef DEBUG
                (void)fprintf(stderr, "line %d: {%s}\n", lineno, p);


-- 
Steven Chamberlain
steven@pyro.eu.org