Possible bug in ul(1)

[Pietro Cerutti]

On 2016-06-15 22:59, Abhinav Upadhyay wrote:
> Hi,
> 
> NetBSD's ul(1) had a bug, where it would dump core for certain inputs
> containing really long lines. For example, we had two man pages for
> which it would crash:
> 
> man evrpc | ul
> man xdm | ul
> 
> We had a statically allocated buffer (struct CHAR obuf[MAXBUF]) for
> representing columns in the lines of the input file, and for really
> long lines, we would try to read beyond the size of the buffer and
> crash. We've fixed it by using reallocarr(3) and friends [1].
> 
> FreeBSD also uses a statically allocated buffer, but it ensures that
> it never reads beyond the fixed size of the buffer and therefore
> doesn't crash for such bad inputs.
> 
> line 170: while ((c = getwc(f)) != WEOF && col < MAXBUF) switch(c) {
> 
> However, it stops reading the file just at the point where the number
> of columns in the line exceeds the buffer size and exits with status
> 0. I think, if it is not going to read the complete file, it should
> exit with a non-0 status, so that the user gets to know that the
> output from ul(1) is not complete? Or, probably it would be better to
> fix ul(1) so that it is able to read files with arbitrarily long
> lines. :)
> 
> PS: I'm not subscribed to the list, so please keep me CC'ed.
> 
> [1]:
> http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.bin/ul/ul.c.diff?r1=1.16&r2=1.17&only_with_tag=MAIN

Bug report and patch submitted at 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210344.
Thanks!

-- 
Pietro Cerutti
gahr at FreeBSD.org

PGP Public Key:
http://gahr.ch/pgp