bin/80348: rs(1) handles command line arguments improperly (SIGSEGV)

Mon Apr 25 16:40:18 PDT 2005

>Number:         80348
>Category:       bin
>Synopsis:       rs(1) handles command line arguments improperly (SIGSEGV)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 25 23:40:17 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Wojciech A. Koszek
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
>Environment:
System: FreeBSD dunstan.freebsd.czest.pl 5.4-STABLE FreeBSD 5.4-STABLE #8: Sat Apr 16 16:26:40 CEST 2005 dunstan at dunstan.freebsd.czest.pl:/usr/obj/usr/src/sys/HOME8 i386

>Description:
rs(1) takes number of rows and columns from command line. Due the lack of
validity checking, it has problems with handling malicious values.

>How-To-Repeat:

$ echo test | rs 1 -99999999999
zsh: done                              echo test | 
zsh: segmentation fault (core dumped)  rs 1 -99999999999

Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
Core was generated by `rs'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.5...done.
Loaded symbols for /lib/libc.so.5
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  0x0804936b in prepfile () at /usr/src/usr.bin/rs/rs.c:324
324                             colwidths[ocols - 1] = 0;
(gdb) bt
#0  0x0804936b in prepfile () at /usr/src/usr.bin/rs/rs.c:324
#1  0x0804891c in main (argc=3, argv=0xbfbfe420) at
/usr/src/usr.bin/rs/rs.c:122
(gdb) f 0
#0  0x0804936b in prepfile () at /usr/src/usr.bin/rs/rs.c:324
324                             colwidths[ocols - 1] = 0;
(gdb) f 1
#1  0x0804891c in main (argc=3, argv=0xbfbfe420) at
/usr/src/usr.bin/rs/rs.c:122
122             prepfile();
(gdb) l   
117             getfile();
118             if (flags & SHAPEONLY) {
119                     printf("%d %d\n", irows, icols);
120                     exit(0);
121             }
122             prepfile();
123             putfile();
124             exit(0);
125     }
126     
(gdb) f 0
#0  0x0804936b in prepfile () at /usr/src/usr.bin/rs/rs.c:324
324                             colwidths[ocols - 1] = 0;
(gdb) list
319                             colwidths[i] = colw;
320             if (!(flags & NOTRIMENDCOL)) {
321                     if (flags & RIGHTADJUST)
322                             colwidths[0] -= gutter;
323                     else
324                             colwidths[ocols - 1] = 0;
325             }
326             n = orows * ocols;
327             if (n > nelem && (flags & RECYCLE))
328                     nelem = n;
(gdb) quit

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: