bin/72370: awk in -current dumps core
Ruslan Ermilov
ru at freebsd.org
Wed Oct 6 03:20:23 PDT 2004
The following reply was made to PR bin/72370; it has been noted by GNATS.
From: Ruslan Ermilov <ru at freebsd.org>
To: Joseph Koshy <jkoshy at freebsd.org>
Cc: bug-followup at freebsd.org
Subject: Re: bin/72370: awk in -current dumps core
Date: Wed, 6 Oct 2004 13:17:57 +0300
On Wed, Oct 06, 2004 at 02:18:27AM +0000, Joseph Koshy wrote:
>
> awk in 5-current dumps core if asked to deference a positional
> parameter at a large positive index. There also seems to be
> numeric overflow occuring behind the scenes. The following
> examples show the difference between GNU awk in 4-STABLE and
> the awk in 5-current.
>
> $ echo | /5/usr/bin/awk '{ x = 2147483647; print $x }'
> *core dump*
>
There's no bounds checking done when growing the "field table".
What happens here is that realloc() is given "0" as the second
argument, and later the code assumes that enough data has been
allocated when in fact it was not. The below patch should check
for all possible overflows by doing the reverse arithmetics.
%%%
Index: lib.c
===================================================================
RCS file: /home/ncvs/src/contrib/one-true-awk/lib.c,v
retrieving revision 1.1.1.3
diff -u -p -r1.1.1.3 lib.c
--- lib.c 17 Mar 2003 07:59:58 -0000 1.1.1.3
+++ lib.c 6 Oct 2004 07:55:36 -0000
@@ -387,10 +387,15 @@ Cell *fieldadr(int n) /* get nth field *
void growfldtab(int n) /* make new fields up to at least $n */
{
int nf = 2 * nfields;
+ size_t s;
if (n > nf)
nf = n;
- fldtab = (Cell **) realloc(fldtab, (nf+1) * (sizeof (struct Cell *)));
+ s = (nf+1) * (sizeof (struct Cell *));
+ if (s / (sizeof (struct Cell *)) - 1 == nf)
+ fldtab = (Cell **) realloc(fldtab, s);
+ else
+ xfree(fldtab);
if (fldtab == NULL)
FATAL("out of space creating %d fields", nf);
makefields(nfields+1, nf);
%%%
Cheers,
--
Ruslan Ermilov
ru at FreeBSD.org
FreeBSD committer
More information about the freebsd-bugs
mailing list