svn commit: r229794 - head/usr.bin/hexdump

Tijl Coosemans tijl at coosemans.org
Mon Jan 16 20:04:21 UTC 2012 

On Sunday 08 January 2012 00:15:22 Eitan Adler wrote:
> Author: eadler (ports committer)
> Date: Sat Jan  7 23:15:21 2012
> New Revision: 229794
> URL: http://svn.freebsd.org/changeset/base/229794
> 
> Log:
>   - Fix how hexdump parses escape strings
>   From the NetBSD bug:
>   The way how hexdump(1) parses escape sequences has some bugs.
>   It shows up when an escape sequence is used as the non-last character
>   of a format string.
>   
>   PR:		bin/144722
>   Submitted by:	gcooper
>   Approved by:	rpaulo
>   Obtained from:	NetBSD
>   MFC after:	1 week
> 
> Modified:
>   head/usr.bin/hexdump/parse.c
> 
> Modified: head/usr.bin/hexdump/parse.c
> ==============================================================================
> --- head/usr.bin/hexdump/parse.c	Sat Jan  7 22:29:46 2012	(r229793)
> +++ head/usr.bin/hexdump/parse.c	Sat Jan  7 23:15:21 2012	(r229794)
> @@ -255,7 +255,9 @@ rewrite(FS *fs)
>  					sokay = NOTOKAY;
>  			}
>  
> -			p2 = p1 + 1;		/* Set end pointer. */
> +			p2 = *p1 ? p1 + 1 : p1;	/* Set end pointer -- make sure
> +						 * that it's non-NUL/-NULL first
> +						 * though. */
>  			cs[0] = *p1;		/* Set conversion string. */
>  			cs[1] = '\0';
>  
> @@ -449,13 +451,21 @@ escape(char *p1)
>  	char *p2;
>  
>  	/* alphabetic escape sequences have to be done in place */
> -	for (p2 = p1;; ++p1, ++p2) {
> -		if (!*p1) {
> -			*p2 = *p1;
> -			break;
> -		}
> -		if (*p1 == '\\')
> -			switch(*++p1) {
> +	for (p2 = p1; *p1; p1++, p2++) {
> +		/* 
> +		 * Let's take a peak at the next item and see whether or not
> +		 * we need to escape the value...
> +		 */
> +		if (*p1 == '\\') {
> +
> +			p1++;
> +
> +			switch(*p1) {
> +			/* A standalone `\' */
> +			case '\0':
> +				*p2 = '\\';
> +				*++p2 = '\0';
> +				break;

This chunk needs to be reworked. This case causes a buffer overflow
because p1 points to the end of the string here and is then incremented
and dereferenced by the for loop.

Also, after the for loop p2 needs to be zero-terminated. Currently, the
output has an extra "n" at the beginning of every line:

00000000  2f 2a 2d 0a 20 2a 20 43  6f 70 79 72 69 67 68 74  |/*-. * Copyright|
n00000010  20 28 63 29 20 31 39 39  30 2c 20 31 39 39 33 0a  | (c) 1990, 1993.|
n00000020  20 2a 09 54 68 65 20 52  65 67 65 6e 74 73 20 6f  | *.The Regents o|

>  			case 'a':
>  			     /* *p2 = '\a'; */
>  				*p2 = '\007';
> @@ -482,7 +492,12 @@ escape(char *p1)
>  				*p2 = *p1;
>  				break;
>  			}
> +
> +		} else
> +			*p2 = *p1;
> +
>  	}
> +
>  }
>  
>  void
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freebsd.org/pipermail/svn-src-head/attachments/20120116/7a035cdb/attachment.pgp

More information about the svn-src-head mailing list