bin/137707: -CURRENT ee(1) segfaults when seeking to an out-of-bound line number

Fredrik Lindberg fli at shapeshifter.se
Thu Aug 13 10:00:16 UTC 2009 

The following reply was made to PR bin/137707; it has been noted by GNATS.

From: Fredrik Lindberg <fli at shapeshifter.se>
To: bug-followup at FreeBSD.org, deeptech71 at gmail.com
Cc: hugh.mahon at cwx.net
Subject: Re: bin/137707: -CURRENT ee(1) segfaults when seeking to an out-of-bound
 line number
Date: Thu, 13 Aug 2009 11:50:42 +0200

 This is a multi-part message in MIME format.
 --------------060704070207090201020407
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 
 The version of ee.c in contrib/ee initialize char *direction to NULL,
 the value of this pointer is then calculated depending on if the
 cursor should move up and down. Without any next lines, the pointer
 is never initialized before fed to strcmp() which segfaults on
 the NULL pointer.
 
 This bug is only triggered if the cursor is at the last line and
 one attempts to move down.
 
 To minimize the changes of the contrib source it's easiest to
 just initialize direction to "d", this should have no impact
 as the pointer is changed when possible and moving "down" 0 lines
 has no effect.
 
 CCed the upstream author as the sources in the tree (1.5.0)
 looks identical in this aspect.
 
 Hugh, any particular reason direction isn't just a char? I might
 be missing something but it seems it's only used with lines containing
 one character only.
 
 Fredrik
 
 Program received signal SIGSEGV, Segmentation fault.
 0x281a4ec8 in strcmp () from /lib/libc.so.7
 
 #1  0x0804cda6 in goto_line (cmd_str=0x28217102 "2")
      at /usr/home/fli/work/freebsd/src/usr.bin/ee/../../contrib/ee/ee.c:2027
 2027			if (!strcmp(direction, "d"))
 (gdb) print direction
 $1 = 0x0
 (gdb) print number
 $4 = 2
 (gdb) print t_line->line_number
 $5 = 1
 (gdb) print t_line->next_line
 $6 = (struct text *) 0x0
 
 
 --------------060704070207090201020407
 Content-Type: text/plain;
  name="ee.c-patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="ee.c-patch"
 
 Index: ee.c
 ===================================================================
 --- ee.c	(revision 196171)
 +++ ee.c	(working copy)
 @@ -1993,7 +1993,7 @@
  	int number;
  	int i;
  	char *ptr;
 -	char *direction = NULL;
 +	char *direction = "d"; 
  	struct text *t_line;
  
  	ptr = cmd_str;
 
 --------------060704070207090201020407--

More information about the freebsd-bugs mailing list