GNU logs - #39165, boring messages


Message sent to bug-sed@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#39165: [PATCH] sed: handle very long execution lines
Resent-From: Tobias Stoeckmann <tobias@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-sed@HIDDEN
Resent-Date: Fri, 17 Jan 2020 20:50:01 +0000
Resent-Message-ID: <handler.39165.B.157929419124618 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 39165
X-GNU-PR-Package: sed
X-GNU-PR-Keywords: patch
To: 39165 <at> debbugs.gnu.org
X-Debbugs-Original-To: bug-sed@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.157929419124618
          (code B ref -1); Fri, 17 Jan 2020 20:50:01 +0000
Received: (at submit) by debbugs.gnu.org; 17 Jan 2020 20:49:51 +0000
Received: from localhost ([127.0.0.1]:40204 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1isYYu-0006Oy-N2
	for submit <at> debbugs.gnu.org; Fri, 17 Jan 2020 15:49:51 -0500
Received: from lists.gnu.org ([209.51.188.17]:51081)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <tobias@HIDDEN>) id 1isYYr-0006Oo-2m
 for submit <at> debbugs.gnu.org; Fri, 17 Jan 2020 15:49:47 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:48930)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <tobias@HIDDEN>) id 1isYYo-000668-Ea
 for bug-sed@HIDDEN; Fri, 17 Jan 2020 15:49:44 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,RCVD_IN_DNSWL_NONE,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <tobias@HIDDEN>) id 1isYYl-0008DN-NZ
 for bug-sed@HIDDEN; Fri, 17 Jan 2020 15:49:42 -0500
Received: from mout.kundenserver.de ([217.72.192.75]:39933)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <tobias@HIDDEN>)
 id 1isYYl-00089x-EK
 for bug-sed@HIDDEN; Fri, 17 Jan 2020 15:49:39 -0500
Received: from localhost ([217.87.199.239]) by mrelayeu.kundenserver.de
 (mreue108 [212.227.15.145]) with ESMTPSA (Nemesis) id
 1MCbR7-1ijW8R1vsp-009kfi for <bug-sed@HIDDEN>; Fri, 17 Jan 2020 21:49:36
 +0100
Date: Fri, 17 Jan 2020 20:49:33 +0100
From: Tobias Stoeckmann <tobias@HIDDEN>
Message-ID: <20200117194933.ribsxwlyuqrr7kft@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Provags-ID: V03:K1:TCNC18H3Rc3vdBUYVCds/Ufg5fv/6WCbG/FqC7aHPA50F1TP8rO
 XbJ0SePxNMn/T0myBGX8Y90hbLUpuL8JPrw1KxRv2Sbg2l0yiNeQnk/1RlLcibIDdl9wKBy
 VtEPeUeNuGjOP26N6UQMJUfXSGec3F0qocYexhKVLwXgAjJmD2Er6Zate/zvrAVPkqWMsh7
 h8OQvLANrHmGjqldh7AGg==
X-UI-Out-Filterresults: notjunk:1;V03:K0:Yz0lamHrrO0=:k5UCcPHr4Gxf6ELXyGawP0
 yii4I59aqbKbxMCwfdJhqK+CypIoMQSnMk/v2ExA/yJidn5dwKhdhhKfDgvQKXTimmstWv73Q
 mOm/JoJRjRDnUIFMRpjeyfYSj8vecoOD4kciKlJj/yboz9LhxKW3LWIn8PYXp0OTZeeDl34UJ
 GKnqEU6NHNx3g1invuxp3k4875CI1ao6ziXXVpdzyuLE2jRiF/n8ql+W+em9PkBjRki70sFai
 19XL/Af0NmU3DwoRJdUDL5N7m5mi+9jhbdWbfWgi1oD1Gs703FOCTbrrfnhqRgKEbyUuRaw5x
 LjbdrybUNktpDELPF/bU8TsJSOGB+X/+wxVGv7YSjLX9w5gYiBczPRgFANk1qWAMSP5jh5ZBI
 mz40JTq50aV0n9EQmOLrktVuQRJfRN8zPAudNF/KOPAuwDwLWxS9adm+TtOGQU877Npc4Bhdt
 OQYrNYSuDDI0jzBiNiJyLsjLao3qwqA3j+YIQS0A5XZs8xTdLs7uks4/ecEX3ZRXo5oRuYDG1
 WBPDQ+3S93LKrKk4pE9yBrPNmdN8Pla8kNez+MjFQe3y+I2lVw1otJZgew6WaZMIkqkEKEcOh
 gCauqrzb8MC9rfRfw4pB92tHRQbE81YfM+9twsgfejQ7uEcK0WsopotNWnJJ0F9Z6HnGFoxLR
 o0Ws9yHESMeSSCDzwCgdpOyiswEQ8mT4THEsPUGk6Jd+DuiZxeUFy8kVqjdUM7yghlLHcYhTp
 7iQJ3oP7E5BO3o9bU1mV9TgjMxwazE9s6Q9qYqxtSaw5CDi9XF3CJcrepin5t1WrQ/Zeu0w+/
 pkqklMeP85Rnh52wRwr7qFSyiP831d3uXXiOblYSWEaHOCgLvPIYBcCtQn5qOR4+X9/HVhNrV
 0yXB0/CC9F1szhuxes+VUxQvY4hi04josuXU36ncs=
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-Received-From: 217.72.192.75
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

If sed is called with an excessively long execution line, then it is
prone to an out of boundary memory access.

The problem is that the length of the execution line, which is a
size_t, is temporarily stored in an int. This means that on systems
which have a 64 bit size_t and a 32 bit int (e.g. linux amd64) an
execution line which exceeds 2 GB will overflow int. If it is just
slightly larger than 2 GB, the negative int value is used as an
array index to finish the execution line string with '\0' which
therefore triggers the out of boundary access.

This problem is probably never triggered in reality, but can be
provoked like this (given that 'e' support is compiled in):

$ dd if=/dev/zero bs=1M count=2049 | tr '\0' 'e' > e-command.txt
$ sed -f e-command.txt /etc/fstab
Segmentation fault (core dumped)
$ _

While at it, I also adjusted another int/size_t conversion, even
though it is a purely cosmetical change, because it can never be
larger than 4096.

Signed-off-by: Tobias Stoeckmann <tobias@HIDDEN>
---
 sed/execute.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sed/execute.c b/sed/execute.c
index c5f07cc..8f43f2e 100644
--- a/sed/execute.c
+++ b/sed/execute.c
@@ -1347,7 +1347,7 @@ execute_program (struct vector *vec, struct input *input)
               panic (_("`e' command not supported"));
 #else
               FILE *pipe_fp;
-              int cmd_length = cur_cmd->x.cmd_txt.text_length;
+              size_t cmd_length = cur_cmd->x.cmd_txt.text_length;
               line_reset (&s_accum, NULL);
 
               if (!cmd_length)
@@ -1367,7 +1367,7 @@ execute_program (struct vector *vec, struct input *input)
 
               {
                 char buf[4096];
-                int n;
+                size_t n;
                 while (!feof (pipe_fp))
                   if ((n = fread (buf, sizeof (char), 4096, pipe_fp)) > 0)
                     {
-- 
2.25.0





Message sent:


Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: Tobias Stoeckmann <tobias@HIDDEN>
Subject: bug#39165: Acknowledgement ([PATCH] sed: handle very long
 execution lines)
Message-ID: <handler.39165.B.157929419124618.ack <at> debbugs.gnu.org>
References: <20200117194933.ribsxwlyuqrr7kft@localhost>
X-Gnu-PR-Message: ack 39165
X-Gnu-PR-Package: sed
X-Gnu-PR-Keywords: patch
Reply-To: 39165 <at> debbugs.gnu.org
Date: Fri, 17 Jan 2020 20:50:01 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 bug-sed@HIDDEN

If you wish to submit further information on this problem, please
send it to 39165 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
39165: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D39165
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems



Last modified: Fri, 17 Jan 2020 21:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.