GNU bug report logs - #39165
[PATCH] sed: handle very long execution lines

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: sed; Reported by: Tobias Stoeckmann <tobias@HIDDEN>; Keywords: patch; dated Fri, 17 Jan 2020 20:50:01 UTC; Maintainer for sed is bug-sed@HIDDEN.

Message received at submit <at>

Received: (at submit) by; 17 Jan 2020 20:49:51 +0000
From debbugs-submit-bounces <at> Fri Jan 17 15:49:51 2020
Received: from localhost ([]:40204
	by with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at>>)
	id 1isYYu-0006Oy-N2
	for submit <at>; Fri, 17 Jan 2020 15:49:51 -0500
Received: from ([]:51081)
 by with esmtp (Exim 4.84_2)
 (envelope-from <tobias@HIDDEN>) id 1isYYr-0006Oo-2m
 for submit <at>; Fri, 17 Jan 2020 15:49:47 -0500
Received: from ([2001:470:142:3::10]:48930)
 by with esmtp (Exim 4.90_1)
 (envelope-from <tobias@HIDDEN>) id 1isYYo-000668-Ea
 for bug-sed@HIDDEN; Fri, 17 Jan 2020 15:49:44 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,RCVD_IN_DNSWL_NONE,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from Debian-exim by with spam-scanned (Exim 4.71)
 (envelope-from <tobias@HIDDEN>) id 1isYYl-0008DN-NZ
 for bug-sed@HIDDEN; Fri, 17 Jan 2020 15:49:42 -0500
Received: from ([]:39933)
 by with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <tobias@HIDDEN>)
 id 1isYYl-00089x-EK
 for bug-sed@HIDDEN; Fri, 17 Jan 2020 15:49:39 -0500
Received: from localhost ([]) by
 (mreue108 []) with ESMTPSA (Nemesis) id
 1MCbR7-1ijW8R1vsp-009kfi for <bug-sed@HIDDEN>; Fri, 17 Jan 2020 21:49:36
Date: Fri, 17 Jan 2020 20:49:33 +0100
From: Tobias Stoeckmann <tobias@HIDDEN>
To: bug-sed@HIDDEN
Subject: [PATCH] sed: handle very long execution lines
Message-ID: <20200117194933.ribsxwlyuqrr7kft@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Provags-ID: V03:K1:TCNC18H3Rc3vdBUYVCds/Ufg5fv/6WCbG/FqC7aHPA50F1TP8rO
X-UI-Out-Filterresults: notjunk:1;V03:K0:Yz0lamHrrO0=:k5UCcPHr4Gxf6ELXyGawP0
X-detected-operating-system: by GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at>
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <>
List-Unsubscribe: <>, 
 <mailto:debbugs-submit-request <at>>
List-Archive: <>
List-Post: <mailto:debbugs-submit <at>>
List-Help: <mailto:debbugs-submit-request <at>>
List-Subscribe: <>, 
 <mailto:debbugs-submit-request <at>>
Errors-To: debbugs-submit-bounces <at>
Sender: "Debbugs-submit" <debbugs-submit-bounces <at>>
X-Spam-Score: -3.3 (---)

If sed is called with an excessively long execution line, then it is
prone to an out of boundary memory access.

The problem is that the length of the execution line, which is a
size_t, is temporarily stored in an int. This means that on systems
which have a 64 bit size_t and a 32 bit int (e.g. linux amd64) an
execution line which exceeds 2 GB will overflow int. If it is just
slightly larger than 2 GB, the negative int value is used as an
array index to finish the execution line string with '\0' which
therefore triggers the out of boundary access.

This problem is probably never triggered in reality, but can be
provoked like this (given that 'e' support is compiled in):

$ dd if=/dev/zero bs=1M count=2049 | tr '\0' 'e' > e-command.txt
$ sed -f e-command.txt /etc/fstab
Segmentation fault (core dumped)
$ _

While at it, I also adjusted another int/size_t conversion, even
though it is a purely cosmetical change, because it can never be
larger than 4096.

Signed-off-by: Tobias Stoeckmann <tobias@HIDDEN>
 sed/execute.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sed/execute.c b/sed/execute.c
index c5f07cc..8f43f2e 100644
--- a/sed/execute.c
+++ b/sed/execute.c
@@ -1347,7 +1347,7 @@ execute_program (struct vector *vec, struct input *input)
               panic (_("`e' command not supported"));
               FILE *pipe_fp;
-              int cmd_length = cur_cmd->x.cmd_txt.text_length;
+              size_t cmd_length = cur_cmd->x.cmd_txt.text_length;
               line_reset (&s_accum, NULL);
               if (!cmd_length)
@@ -1367,7 +1367,7 @@ execute_program (struct vector *vec, struct input *input)
                 char buf[4096];
-                int n;
+                size_t n;
                 while (!feof (pipe_fp))
                   if ((n = fread (buf, sizeof (char), 4096, pipe_fp)) > 0)

Acknowledgement sent to Tobias Stoeckmann <tobias@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-sed@HIDDEN. Full text available.
Report forwarded to bug-sed@HIDDEN:
bug#39165; Package sed. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Fri, 17 Jan 2020 21:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.