From debbugs-submit-bounces@debbugs.gnu.org Thu Aug 14 20:56:57 2014
Received: (at submit) by debbugs.gnu.org; 15 Aug 2014 00:56:57 +0000
Received: from localhost ([127.0.0.1]:43730 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1XI5pA-0006Ee-A3
	for submit@debbugs.gnu.org; Thu, 14 Aug 2014 20:56:56 -0400
Received: from eggs.gnu.org ([208.118.235.92]:40574)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <vincent@vinc17.net>) id 1XI5p6-0006EN-GJ
 for submit@debbugs.gnu.org; Thu, 14 Aug 2014 20:56:53 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <vincent@vinc17.net>) id 1XI5ou-00040p-7h
 for submit@debbugs.gnu.org; Thu, 14 Aug 2014 20:56:47 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:37164)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <vincent@vinc17.net>) id 1XI5ou-00040l-4e
 for submit@debbugs.gnu.org; Thu, 14 Aug 2014 20:56:40 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42277)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <vincent@vinc17.net>) id 1XI5on-0007uj-VT
 for bug-grep@gnu.org; Thu, 14 Aug 2014 20:56:39 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <vincent@vinc17.net>) id 1XI5oh-0003zJ-Sz
 for bug-grep@gnu.org; Thu, 14 Aug 2014 20:56:33 -0400
Received: from ioooi.vinc17.net ([92.243.22.117]:52824)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <vincent@vinc17.net>) id 1XI5oh-0003z3-Mw
 for bug-grep@gnu.org; Thu, 14 Aug 2014 20:56:27 -0400
Received: from smtp-xvii.vinc17.net (128.119.75.86.rev.sfr.net [86.75.119.128])
 by ioooi.vinc17.net (Postfix) with ESMTPSA id EA28570A;
 Fri, 15 Aug 2014 02:56:19 +0200 (CEST)
Received: by xvii.vinc17.org (Postfix, from userid 1000)
 id 9AFBD21A07C; Fri, 15 Aug 2014 02:56:19 +0200 (CEST)
Date: Fri, 15 Aug 2014 02:56:19 +0200
From: Vincent Lefevre <vincent@vinc17.net>
To: bug-grep@gnu.org
Subject: incorrect undossify_input prototype - possible integer overflow
Message-ID: <20140815005619.GK5034@xvii.vinc17.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
X-Mailer-Info: http://www.vinc17.net/mutt/
User-Agent: Mutt/1.5.23-6361-vl-r59709 (2014-07-25)
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
 (bad octet value).
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

In grep 2.20, grep.c contains:

  ssize_t fillsize;
  size_t readsize;
[...]
  fillsize =3D safe_read (bufdesc, readbuf, readsize);
  if (fillsize < 0)
    fillsize =3D cc =3D 0;
  bufoffset +=3D fillsize;
  fillsize =3D undossify_input (readbuf, fillsize);

In practice, readsize can be large on a 64-bit machine (more than
2 GB), so that the return value of safe_read(), fillsize, can also
be large since a read() is called with readsize as the 3rd argument.
But dosbuf.c has:

static int
undossify_input (char *buf, size_t buflen)
{
  if (! O_BINARY)
    return buflen;
[...]

meaning that the potentially large buflen (> 2 GB) is returned as an
int, whose usual size is 32 bits only, yielding an integer overflow.

undossify_input should be rewritten in such a way that some int's are
changed to size_t or ssize_t.

Note: This bug is currently not visible under Linux due to a limitation
in the kernel (breaking POSIX compliance, BTW): the read() return value
is limited to 0x7ffff000.

--=20
Vincent Lef=E8vre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)




From debbugs-submit-bounces@debbugs.gnu.org Thu Aug 14 21:41:47 2014
Received: (at 18269-done) by debbugs.gnu.org; 15 Aug 2014 01:41:47 +0000
Received: from localhost ([127.0.0.1]:43739 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1XI6WY-0007YM-BA
	for submit@debbugs.gnu.org; Thu, 14 Aug 2014 21:41:46 -0400
Received: from smtp.cs.ucla.edu ([131.179.128.62]:54658)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <eggert@cs.ucla.edu>) id 1XI6WV-0007Y8-A7
 for 18269-done@debbugs.gnu.org; Thu, 14 Aug 2014 21:41:44 -0400
Received: from localhost (localhost.localdomain [127.0.0.1])
 by smtp.cs.ucla.edu (Postfix) with ESMTP id 14EB1A6002D;
 Thu, 14 Aug 2014 18:41:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu
Received: from smtp.cs.ucla.edu ([127.0.0.1])
 by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id odoDY1mIeM54; Thu, 14 Aug 2014 18:41:32 -0700 (PDT)
Received: from [192.168.1.9] (pool-71-177-17-123.lsanca.dsl-w.verizon.net
 [71.177.17.123])
 by smtp.cs.ucla.edu (Postfix) with ESMTPSA id C0077A60015;
 Thu, 14 Aug 2014 18:41:32 -0700 (PDT)
Message-ID: <53ED654C.4070004@cs.ucla.edu>
Date: Thu, 14 Aug 2014 18:41:32 -0700
From: Paul Eggert <eggert@cs.ucla.edu>
Organization: UCLA Computer Science Department
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Vincent Lefevre <vincent@vinc17.net>, 18269-done@debbugs.gnu.org
Subject: Re: bug#18269: incorrect undossify_input prototype - possible integer
 overflow
References: <20140815005619.GK5034@xvii.vinc17.org>
In-Reply-To: <20140815005619.GK5034@xvii.vinc17.org>
Content-Type: multipart/mixed; boundary="------------010107090006020309070205"
X-Spam-Score: -3.0 (---)
X-Debbugs-Envelope-To: 18269-done
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.0 (---)

This is a multi-part message in MIME format.
--------------010107090006020309070205
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Thanks for reporting that.  Plus, there's a related bug in the use of 
safe_read.  I fixed them both with the attached patch.

--------------010107090006020309070205
Content-Type: text/plain; charset=UTF-8;
 name="0001-grep-fix-integer-width-bugs-in-undossify_input-etc.patch"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename*0="0001-grep-fix-integer-width-bugs-in-undossify_input-etc.patc";
 filename*1="h"

RnJvbSA5ZmRjZjJjY2YxZjliZGU5OTlmNjAyYTEwZDM3ZDg5ZGJlMzg0ZmFiIE1vbiBTZXAg
MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQYXVsIEVnZ2VydCA8ZWdnZXJ0QGNzLnVjbGEuZWR1
PgpEYXRlOiBUaHUsIDE0IEF1ZyAyMDE0IDE4OjM4OjQ5IC0wNzAwClN1YmplY3Q6IFtQQVRD
SF0gZ3JlcDogZml4IGludGVnZXItd2lkdGggYnVncyBpbiB1bmRvc3NpZnlfaW5wdXQgZXRj
LgoKdW5kb3NzaWZ5X2lucHV0IGJ1ZyByZXBvcnRlZCBieSBWaW5jZW50IExlZmV2cmUgaW46
Cmh0dHA6Ly9idWdzLmdudS5vcmcvMTgyNjkKKiBzcmMvZG9zYnVmLmMgKHVuZG9zc2lmeV9p
bnB1dCk6IFJldHVybiBzaXplX3QsIG5vdCBpbnQuCiogc3JjL2dyZXAuYyAoZmlsbGJ1Zik6
IFdvcmsgcG9ydGFibHkgZXZlbiBpZiBzYWZlX3JlYWQgcmV0dXJucyBhCnZhbHVlIGdyZWF0
ZXIgdGhhbiBTU0laRV9NQVgsIGUuZy4sIGlmIHRoZXJlJ3MgYW4gSS9PIGVycm9yLgotLS0K
IHNyYy9kb3NidWYuYyB8IDEwICsrKysrLS0tLS0KIHNyYy9ncmVwLmMgICB8ICA2ICsrKy0t
LQogMiBmaWxlcyBjaGFuZ2VkLCA4IGluc2VydGlvbnMoKyksIDggZGVsZXRpb25zKC0pCgpk
aWZmIC0tZ2l0IGEvc3JjL2Rvc2J1Zi5jIGIvc3JjL2Rvc2J1Zi5jCmluZGV4IDlhYzJkMTMu
LjNiNDA1MmEgMTAwNjQ0Ci0tLSBhL3NyYy9kb3NidWYuYworKysgYi9zcmMvZG9zYnVmLmMK
QEAgLTkwLDE1ICs5MCwxNSBAQCBndWVzc190eXBlIChjaGFyICpidWYsIHNpemVfdCBidWZs
ZW4pCiB9CiAKIC8qIENvbnZlcnQgZXh0ZXJuYWwgRE9TIGZpbGUgcmVwcmVzZW50YXRpb24g
dG8gaW50ZXJuYWwuCi0gICBSZXR1cm4gdGhlIGNvdW50IG9mIGNoYXJhY3RlcnMgbGVmdCBp
biB0aGUgYnVmZmVyLgorICAgUmV0dXJuIHRoZSBjb3VudCBvZiBieXRlcyBsZWZ0IGluIHRo
ZSBidWZmZXIuCiAgICBCdWlsZCB0YWJsZSB0byBtYXAgY2hhcmFjdGVyIHBvc2l0aW9ucyB3
aGVuIHJlcG9ydGluZyBieXRlIGNvdW50cy4gICovCi1zdGF0aWMgaW50CitzdGF0aWMgc2l6
ZV90CiB1bmRvc3NpZnlfaW5wdXQgKGNoYXIgKmJ1Ziwgc2l6ZV90IGJ1ZmxlbikKIHsKICAg
aWYgKCEgT19CSU5BUlkpCiAgICAgcmV0dXJuIGJ1ZmxlbjsKIAotICBpbnQgY2hhcnNfbGVm
dCA9IDA7CisgIHNpemVfdCBieXRlc19sZWZ0ID0gMDsKIAogICBpZiAodG90YWxjYyA9PSAw
KQogICAgIHsKQEAgLTEyNiw3ICsxMjYsNyBAQCB1bmRvc3NpZnlfaW5wdXQgKGNoYXIgKmJ1
Ziwgc2l6ZV90IGJ1ZmxlbikKICAgICAgICAgICBpZiAoKmJ1ZiAhPSAnXHInKQogICAgICAg
ICAgICAgewogICAgICAgICAgICAgICAqZGVzdHArKyA9ICpidWYrKzsKLSAgICAgICAgICAg
ICAgY2hhcnNfbGVmdCsrOworICAgICAgICAgICAgICBieXRlc19sZWZ0Kys7CiAgICAgICAg
ICAgICB9CiAgICAgICAgICAgZWxzZQogICAgICAgICAgICAgewpAQCAtMTc2LDcgKzE3Niw3
IEBAIHVuZG9zc2lmeV9pbnB1dCAoY2hhciAqYnVmLCBzaXplX3QgYnVmbGVuKQogICAgICAg
ICAgICAgfQogICAgICAgICB9CiAKLSAgICAgIHJldHVybiBjaGFyc19sZWZ0OworICAgICAg
cmV0dXJuIGJ5dGVzX2xlZnQ7CiAgICAgfQogCiAgIHJldHVybiBidWZsZW47CmRpZmYgLS1n
aXQgYS9zcmMvZ3JlcC5jIGIvc3JjL2dyZXAuYwppbmRleCA1ZTZjNWM2Li42YjkzMGRjIDEw
MDY0NAotLS0gYS9zcmMvZ3JlcC5jCisrKyBiL3NyYy9ncmVwLmMKQEAgLTM5Nyw3ICszOTcs
NyBAQCBzdGF0aWMgaW50IGdyZXBkZXNjIChpbnQsIGludCk7CiAKIHN0YXRpYyB2b2lkIGRv
c19iaW5hcnkgKHZvaWQpOwogc3RhdGljIHZvaWQgZG9zX3VuaXhfYnl0ZV9vZmZzZXRzICh2
b2lkKTsKLXN0YXRpYyBpbnQgdW5kb3NzaWZ5X2lucHV0IChjaGFyICosIHNpemVfdCk7Citz
dGF0aWMgc2l6ZV90IHVuZG9zc2lmeV9pbnB1dCAoY2hhciAqLCBzaXplX3QpOwogCiBzdGF0
aWMgaW50CiBpc19kZXZpY2VfbW9kZSAobW9kZV90IG0pCkBAIC01ODMsNyArNTgzLDcgQEAg
cmVzZXQgKGludCBmZCwgc3RydWN0IHN0YXQgY29uc3QgKnN0KQogc3RhdGljIGludAogZmls
bGJ1ZiAoc2l6ZV90IHNhdmUsIHN0cnVjdCBzdGF0IGNvbnN0ICpzdCkKIHsKLSAgc3NpemVf
dCBmaWxsc2l6ZTsKKyAgc2l6ZV90IGZpbGxzaXplOwogICBpbnQgY2MgPSAxOwogICBjaGFy
ICpyZWFkYnVmOwogICBzaXplX3QgcmVhZHNpemU7CkBAIC02NDUsNyArNjQ1LDcgQEAgZmls
bGJ1ZiAoc2l6ZV90IHNhdmUsIHN0cnVjdCBzdGF0IGNvbnN0ICpzdCkKICAgcmVhZHNpemUg
LT0gcmVhZHNpemUgJSBwYWdlc2l6ZTsKIAogICBmaWxsc2l6ZSA9IHNhZmVfcmVhZCAoYnVm
ZGVzYywgcmVhZGJ1ZiwgcmVhZHNpemUpOwotICBpZiAoZmlsbHNpemUgPCAwKQorICBpZiAo
ZmlsbHNpemUgPT0gU0FGRV9SRUFEX0VSUk9SKQogICAgIGZpbGxzaXplID0gY2MgPSAwOwog
ICBidWZvZmZzZXQgKz0gZmlsbHNpemU7CiAgIGZpbGxzaXplID0gdW5kb3NzaWZ5X2lucHV0
IChyZWFkYnVmLCBmaWxsc2l6ZSk7Ci0tIAoxLjkuMwoK
--------------010107090006020309070205--




From unknown Sat Jun 14 18:59:26 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Fri, 12 Sep 2014 11:24:03 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator