[Bug 226948] [PATCH] usr.bin/apply: segmentation fault with blank magic character

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Mar 26 13:30:14 UTC 2018 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226948

            Bug ID: 226948
           Summary: [PATCH] usr.bin/apply: segmentation fault with blank
                    magic character
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: tobias at stoeckmann.org

Created attachment 191838
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=191838&action=edit
Patch to fix the issue

I have encountered and fixed an issue when the magic character ' ' is used.

apply(1) checks for magic numbers to substitue. These magic numbers are used
for argument substitution. You could write a command like

$ apply '2to3 %1 %2' test1.py test2.py

Which would run "2to3 test1.py test2.py". The magic character '%' can be
replaced with the option -a. In my case, I replace it with ' '.

The issue is that check for magic numbers and actual replacement happen in two
different parts of the code. Between them, the command is prepended with "exec
", which is used for the shell invocation later on.

The bug is triggered with an invocation like this:

$ apply -a ' ' 2to3 test.py
Segmentation fault (core dumped)
$ _

The check for magic numbers is negative, because "2to3" has no magic number.
But right after the check, it's extended to "exec 2to3". As I changed the magic
character from '%' to ' ', suddenly it DOES contain a magic number.

The code does not properly verify afterwards if enough arguments have been
supplied and tries to access argv[2], which is NULL. The command crashes.

This patch is based on my merge attempt of a previous FreeBSD bug into OpenBSD.
You can see the discussion and OpenBSD's version of the patch here:

https://marc.info/?l=openbsd-tech&m=152180028615405&w=2

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list