Bug#256725: [PATCH] Fix insufficient message buffer size when hitting unknown command (Re: Bug#256725: sed segfaults on invalid scripts such as 'm')
Hi Paolo,
This patch fixes the bug raised at Debian project at:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=256725
To reappear the bug:
$ LANG=C sed --version
GNU sed version 4.1.1
Copyright (C) 2003 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE,
to the extent permitted by law.
$ LANG=C sed m
sed: -e expression #1, char 1: unknown command: `m'
$ LANG=en_US sed m
Segmentation fault
This is caused by the insufficient buffer size at
compile.c:bad_command(). It allocates only 20 bytes for the above
message, but the string size are also 20 bytes. There's no "NULL"
space, so it causes buffer overflow. Attached patch expands the
buffer size to allow putting extra one NULL byte. After applying the
patch, I got:
$ env LANG=en_US ./sed m
./sed: -e expression #1, char 1: unknown command: `m'
Please apply it.
Thanks for your usual great works.
Regards,
-- gotom
2004-08-06 GOTO Masanori <gotom@debian.or.jp>
* sed/compile.c: Fix insufficient message buffer size when hitting
unknown command.
--- sed-4.1.1.orig/sed/compile.c 2004-06-30 03:05:21.000000000 +0900
+++ sed-4.1.1/sed/compile.c 2004-08-06 10:52:06.000000000 +0900
@@ -1,5 +1,5 @@
/* GNU SED, a batch stream editor.
- Copyright (C) 1989,90,91,92,93,94,95,98,99,2002,2003
+ Copyright (C) 1989,90,91,92,93,94,95,98,99,2002,2003,2004
Free Software Foundation, Inc.
This program is free software; you can redistribute it and/or modify
@@ -195,7 +195,7 @@
char ch;
{
const char *msg = _(UNKNOWN_CMD);
- char *unknown_cmd = xmalloc(strlen(msg) - 1);
+ char *unknown_cmd = xmalloc(strlen(msg));
sprintf(unknown_cmd, msg, ch);
bad_prog(unknown_cmd);
}
Regards,
-- gotom
Reply to: