GNU bug report logs - #70232
Bug in argument handling may lead to segfault if --debug is passed after any compile step

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: sed; Reported by: 37@HIDDEN; dated Sat, 6 Apr 2024 06:39:03 UTC; Maintainer for sed is bug-sed@HIDDEN.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 6 Apr 2024 06:38:54 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 06 02:38:54 2024
Received: from localhost ([127.0.0.1]:38023 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rszhU-00078F-EG
	for submit <at> debbugs.gnu.org; Sat, 06 Apr 2024 02:38:54 -0400
Received: from lists.gnu.org ([2001:470:142::17]:34632)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <37@HIDDEN>) id 1rsxxG-0003eU-0S
 for submit <at> debbugs.gnu.org; Sat, 06 Apr 2024 00:47:03 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <37@HIDDEN>) id 1rsxx2-00050a-R2
 for bug-sed@HIDDEN; Sat, 06 Apr 2024 00:46:50 -0400
Received: from db1.countermail.com ([5.226.34.35] helo=webmail.countermail.com)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <37@HIDDEN>) id 1rsxx1-0005iP-4O
 for bug-sed@HIDDEN; Sat, 06 Apr 2024 00:46:48 -0400
Received: from webmail.countermail.com (localhost [127.0.0.1])
 by webmail.countermail.com (Postfix) with ESMTPA id 3D50912B62D
 for <bug-sed@HIDDEN>; Sat,  6 Apr 2024 06:40:08 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 webmail.countermail.com 3D50912B62D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cmail.nu; s=default;
 t=1712378408; bh=VzNBmBe0tjMnn+zJHZdQ6eqcQc5fa9kaIy6zdBwNlz4=;
 h=Date:From:To:Subject:From;
 b=o08Uy6mTSho2FstjjFw5bkkrfZz0ydiVkEs2Y82M0EitPNrzoYxO0RGC999KHGgxm
 IWPy+IOdx8IP1/K6k4eSIv3RH5elQKvF70WsbzV9sQ7es+YnMPLABOmVURlOND4Xab
 uleJr2tHty/mibdvmT75KqXTZ7prjbCHi0VqHUQo=
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="=_9e59b43118d1803b9605023d174e6dda"
Date: Sat, 06 Apr 2024 00:40:08 -0400
From: 37@HIDDEN
To: bug-sed@HIDDEN
Subject: Bug in argument handling may lead to segfault if --debug is passed
 after any compile step
Message-ID: <fdc1345295d340c25ec43f7c210b3fd2@HIDDEN>
X-Sender: 37@HIDDEN
Received-SPF: pass client-ip=5.226.34.35; envelope-from=37@HIDDEN;
 helo=webmail.countermail.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Sat, 06 Apr 2024 02:38:42 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

--=_9e59b43118d1803b9605023d174e6dda
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8;
 format=flowed

Hi,

This affects every version with the --debug flag to my knowledge. Tested 
on version 4.8. Reasonably simple reproducer is attached. Run with `sed 
-f repro.sed --debug`.

I believe the root cause is that sed will compile scripts *before* 
setting the debug flag, which leads to cmd->x.label_name being garbage 
since next_cmd_entry doesn't zero out the auxiliary data structure. When 
sed then tries to print the label through debug_print_program at the end 
of main, a segfault is possible due to the uninitialized read.
--=_9e59b43118d1803b9605023d174e6dda
Content-Transfer-Encoding: base64
Content-Type: text/plain;
 name=repro.sed
Content-Disposition: attachment;
 filename=repro.sed;
 size=1850

IyEvYmluL3NlZCAtZgoKcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5c
KS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1e
XCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4u
Li4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1c
MS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCgu
Li4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4u
Li5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0K
cy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4u
Li4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5c
KS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1e
XCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4u
Li4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1c
MS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCgu
Li4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4u
Li5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0K
cy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4u
Li4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5c
KS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1e
XCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4u
Li4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1c
MS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCgu
Li4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4u
Li5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0K
cy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4u
Li4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5c
KS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1e
XCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4u
Li4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1c
MS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCgu
Li4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4u
Li5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0K
cy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4uLi4uLi4uLi5cKS1cMS0Kcy1eXCguLi4u
Li4uLi4uLi5cKS1cMS0KCjpteV9sYWJlbAo=
--=_9e59b43118d1803b9605023d174e6dda--
Acknowledgement sent to 37@HIDDEN:
New bug report received and forwarded. Copy sent to bug-sed@HIDDEN. Full text available.
Report forwarded to bug-sed@HIDDEN:
bug#70232; Package sed. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Sat, 6 Apr 2024 06:45:04 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.