From unknown Mon Jun 23 13:15:28 2025 X-Loop: help-debbugs@gnu.org Subject: bug#22127: Segfault / null pointer access in function str_append_modified() Resent-From: Hanno =?UTF-8?Q?B=C3=B6ck?= Original-Sender: "Debbugs-submit" Resent-CC: bug-sed@gnu.org Resent-Date: Thu, 10 Dec 2015 01:02:07 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 22127 X-GNU-PR-Package: sed X-GNU-PR-Keywords: To: 22127@debbugs.gnu.org X-Debbugs-Original-To: bug-sed@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.144970932229353 (code B ref -1); Thu, 10 Dec 2015 01:02:07 +0000 Received: (at submit) by debbugs.gnu.org; 10 Dec 2015 01:02:02 +0000 Received: from localhost ([127.0.0.1]:38285 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1a6pcQ-0007dL-2Z for submit@debbugs.gnu.org; Wed, 09 Dec 2015 20:02:02 -0500 Received: from eggs.gnu.org ([208.118.235.92]:50516) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1a6pcD-0007ZN-OV for submit@debbugs.gnu.org; Wed, 09 Dec 2015 20:01:50 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1a6d8E-0004ZW-9K for submit@debbugs.gnu.org; Wed, 09 Dec 2015 06:42:03 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:45268) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a6d8E-0004ZS-6t for submit@debbugs.gnu.org; Wed, 09 Dec 2015 06:42:02 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42761) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a6d8D-0003RB-21 for bug-sed@gnu.org; Wed, 09 Dec 2015 06:42:02 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1a6d8A-0004ZF-9G for bug-sed@gnu.org; Wed, 09 Dec 2015 06:42:00 -0500 Received: from zucker.schokokeks.org ([178.63.68.96]:58320) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a6d8A-0004Z6-2w for bug-sed@gnu.org; Wed, 09 Dec 2015 06:41:58 -0500 Received: from pc1 ([::ffff:217.74.139.26]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 128bits, ECDHE-RSA-AES128-GCM-SHA256) by zucker.schokokeks.org with ESMTPSA; Wed, 09 Dec 2015 12:41:55 +0100 id 000000000000013B.0000000056681383.00001DE9 Date: Wed, 9 Dec 2015 12:42:11 +0100 From: Hanno =?UTF-8?Q?B=C3=B6ck?= Message-ID: <20151209124211.0e77e6aa@pc1> X-Mailer: Claws Mail 3.13.0 (GTK+ 2.24.28; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-7660-1449661316-0001-2" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (no timestamps) [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) This is a MIME-formatted message. If you see this text it means that your E-mail software does not support MIME-formatted messages. --=_zucker.schokokeks.org-7660-1449661316-0001-2 Content-Type: multipart/mixed; boundary="MP_/wzMyREshcCJs7e4ycSU4XKm" --MP_/wzMyREshcCJs7e4ycSU4XKm Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi, With a malformed input (see attachmend) sed can crash in the function str_append_modified() Test: echo|./sed -f sed-nullptr-str_append_modified Seems to be a null pointer access. This only seems to happen in the git code of sed and not in 4.2.2. This is the stack trace from address sanitizer: =3D=3D21489=3D=3DERROR: AddressSanitizer: SEGV on unknown address 0x0000000= 00000 (pc 0x7fd77e298c16 bp 0x611000009c86 sp 0x7fffe46649d0 T0) #0 0x7fd77e298c15 in wcrtomb /var/tmp/portage/sys-libs/glibc-2.22-r1/wo= rk/glibc-2.22/wcsmbs/wcrtomb.c:89 #1 0x5029ca in str_append_modified /mnt/ram/sed-plain/sed/execute.c:273= :11 #2 0x4faa8c in append_replacement /mnt/ram/sed-plain/sed/execute.c:992:= 11 #3 0x4faa8c in do_subst /mnt/ram/sed-plain/sed/execute.c:1078 #4 0x4faa8c in execute_program /mnt/ram/sed-plain/sed/execute.c:1513 #5 0x4faa8c in process_files /mnt/ram/sed-plain/sed/execute.c:1681 #6 0x4e1365 in main /mnt/ram/sed-plain/sed/sed.c:362:17 #7 0x7fd77e21b62f in __libc_start_main /var/tmp/portage/sys-libs/glibc-= 2.22-r1/work/glibc-2.22/csu/libc-start.c:289 #8 0x4191a8 in _start (/tmp/sed+0x4191a8) This was found with the help of american fuzzy lop. cu, --=20 Hanno B=C3=B6ck http://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: BBB51E42 --MP_/wzMyREshcCJs7e4ycSU4XKm Content-Type: application/octet-stream; name=sed-nullptr-str_append_modified Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=sed-nullptr-str_append_modified cy8gXD8vXEz9/f39/f39/f2Tk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OT/VyAAABSUrgv --MP_/wzMyREshcCJs7e4ycSU4XKm-- --=_zucker.schokokeks.org-7660-1449661316-0001-2 Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJWaBOTAAoJEKWIAHK7tR5C/LIQAJCVO5Fwhsc13xflJS1MFkow TTirnj9SWrDEoE5RUK6T+/+K/Bp75fSVfJidOAAxDZ4NA1Kg1pU+fUG/5lTVNGcJ l6xQbcw5zhSCxAakNSHgdnGzOIf6aJcm3nurmR3CTufX5P1l463KES1jAjxKvGg9 UQYwyZnezloKw5ZjaZoHh0bbG/x2WYPwO7iJ+3vCGe5NfNSC6KqNFkPJqMc5CDmC phhweidsd8oq4C/5NQ9lfixwlR87bWIpGybIZtTDzy6cK7s2z8lX0R6WR5hcSOl4 W941+7Kz9EcXHPZ/+LUGfYKJn1nFxEtyhIea0YDvrv2wR/V72QL164QMuxHgOlc5 RG3m2YxlSq1a6Ynqq7QrG/mIME8+bIEqt2STBwSxz5H/XPfUaIj1vFG6i/3OzGwa VK5OKNUm1Cmo4RFB4fOKwcq83IIuRfM3PAZkBGke/R0QNyKdSDMtONyUPEarFpWT BLfn0ypDmsy6wrnJFqeV1V+NlBGwuICwbazh/5SXTlyp0kenR8o8hN3d5cDKys7I niogMS7Yc1lrzQ8UEf+ps4YOUZI5TSS64QYWd+beduskwF/yBZTdfQ+p/MAZHiGe reQMBxUWBRi+AkDAJKHdx9k7tqDPjh/MuWjHm/HGbbrsUtFdxvmiO9VX0RmGy4GG QeEGxk+7N87ZGVrQXEc3 =PlIH -----END PGP SIGNATURE----- --=_zucker.schokokeks.org-7660-1449661316-0001-2-- From unknown Mon Jun 23 13:15:28 2025 X-Loop: help-debbugs@gnu.org Subject: bug#22127: Segfault / null pointer access in function str_append_modified() Resent-From: Jim Meyering Original-Sender: "Debbugs-submit" Resent-CC: bug-sed@gnu.org Resent-Date: Fri, 18 Dec 2015 02:58:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 22127 X-GNU-PR-Package: sed X-GNU-PR-Keywords: To: Hanno =?UTF-8?Q?B=C3=B6ck?= Cc: 22127@debbugs.gnu.org Received: via spool by 22127-submit@debbugs.gnu.org id=B22127.14504074483187 (code B ref 22127); Fri, 18 Dec 2015 02:58:01 +0000 Received: (at 22127) by debbugs.gnu.org; 18 Dec 2015 02:57:28 +0000 Received: from localhost ([127.0.0.1]:54918 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1a9lEM-0000pB-LK for submit@debbugs.gnu.org; Thu, 17 Dec 2015 21:57:28 -0500 Received: from mail-ig0-f176.google.com ([209.85.213.176]:35182) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1a9lEL-0000oy-9T for 22127@debbugs.gnu.org; Thu, 17 Dec 2015 21:57:17 -0500 Received: by mail-ig0-f176.google.com with SMTP id to4so27071777igc.0 for <22127@debbugs.gnu.org>; Thu, 17 Dec 2015 18:57:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=gpUoIYw+7G4BOTJaMh1HicYcXhFRhjMAqjk+BtUxmZI=; b=myvHogI164fT71DYihJMqqAE9Wprl5U3sEZIUx1lQENB/MSHYbijQ53fEbFZYZmVp9 gICM2TUcXrzsojv0Yi4+JxoAJsJ6xqzQMpFtsTnzjOgic5EInCAuwUgSua0JNiD/ED93 oBaVhzRQsJ0XyQM6ngqEhOlZmrmRLy3ftw2MUYfWicgPyryEqvXufI2XpZdygdPFFhUS 2Xg1tRHtfEKssR7Ert/iekDSHmiFc/ffErE6L82ie0Rx5U/VY38jNDkxOj6T1mXEvZiH +CBH8pL2ORXX10zPf4jMYFX96wRVCzdyifzkU2Dg/8OeV0Uu2RvDrkSYl1KYbBSrgBCj N3Rg== X-Received: by 10.50.64.178 with SMTP id p18mr193023igs.42.1450407431734; Thu, 17 Dec 2015 18:57:11 -0800 (PST) MIME-Version: 1.0 Received: by 10.36.10.18 with HTTP; Thu, 17 Dec 2015 18:56:51 -0800 (PST) In-Reply-To: <20151209124211.0e77e6aa@pc1> References: <20151209124211.0e77e6aa@pc1> From: Jim Meyering Date: Thu, 17 Dec 2015 18:56:51 -0800 X-Google-Sender-Auth: CXkhCQ9RD2lacS0RPJXU6saDlRI Message-ID: Content-Type: multipart/mixed; boundary=047d7bd75c3abfb6a70527234b5a X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) --047d7bd75c3abfb6a70527234b5a Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, Dec 9, 2015 at 3:42 AM, Hanno B=C3=B6ck wrote: > Hi, > > With a malformed input (see attachmend) sed can crash in the function > str_append_modified() > > Test: > echo|./sed -f sed-nullptr-str_append_modified > > Seems to be a null pointer access. > This only seems to happen in the git code of sed and not in 4.2.2. > > This is the stack trace from address sanitizer: > =3D=3D21489=3D=3DERROR: AddressSanitizer: SEGV on unknown address 0x00000= 0000000 (pc 0x7fd77e298c16 bp 0x611000009c86 sp 0x7fffe46649d0 T0) > #0 0x7fd77e298c15 in wcrtomb /var/tmp/portage/sys-libs/glibc-2.22-r1/= work/glibc-2.22/wcsmbs/wcrtomb.c:89 > #1 0x5029ca in str_append_modified /mnt/ram/sed-plain/sed/execute.c:2= 73:11 > #2 0x4faa8c in append_replacement /mnt/ram/sed-plain/sed/execute.c:99= 2:11 > #3 0x4faa8c in do_subst /mnt/ram/sed-plain/sed/execute.c:1078 > #4 0x4faa8c in execute_program /mnt/ram/sed-plain/sed/execute.c:1513 > #5 0x4faa8c in process_files /mnt/ram/sed-plain/sed/execute.c:1681 > #6 0x4e1365 in main /mnt/ram/sed-plain/sed/sed.c:362:17 > #7 0x7fd77e21b62f in __libc_start_main /var/tmp/portage/sys-libs/glib= c-2.22-r1/work/glibc-2.22/csu/libc-start.c:289 > #8 0x4191a8 in _start (/tmp/sed+0x4191a8) > > > This was found with the help of american fuzzy lop. Thank you for the report. I've reduced it to the following one-liner (demonstrating failure with an ASAN-enabled binary), and have attached a patch: $ echo > k; LC_ALL=3Den_US.utf8 sed/sed $(printf 's/^/\\L\233\375\134\200/'= ) k =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D3335=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000edb2 at pc 0x000000446933 bp 0x7ffd73a42ee0 sp 0x7ffd73a42690 WRITE of size 6 at 0x60600000edb2 thread T0 #0 0x446932 in __interceptor_wcrtomb ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc= :2751 #1 0x4dc393 in str_append_modified /home/j/w/co/sed/sed/execute.c:273 #2 0x4e08e2 in append_replacement /home/j/w/co/sed/sed/execute.c:992 #3 0x4e1272 in do_subst /home/j/w/co/sed/sed/execute.c:1078 #4 0x4e2d09 in execute_program /home/j/w/co/sed/sed/execute.c:1513 #5 0x4e359a in process_files /home/j/w/co/sed/sed/execute.c:1681 #6 0x4d446a in main /home/j/w/co/sed/sed/sed.c:362 #7 0x7f5541c7f57f in __libc_start_main (/lib64/libc.so.6+0x2057f) #8 0x406d18 in _start (/home/j/w/co/sed/sed/sed+0x406d18) 0x60600000edb2 is located 0 bytes to the right of 50-byte region [0x60600000ed80,0x60600000edb2) allocated by thread T0 here: #0 0x4a2050 in __interceptor_calloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:54 #1 0x4e59d3 in ck_malloc /home/j/w/co/sed/sed/utils.c:398 #2 0x4dc4e9 in line_init /home/j/w/co/sed/sed/execute.c:288 #3 0x4dc75f in line_reset /home/j/w/co/sed/sed/execute.c:306 #4 0x4e0d37 in do_subst /home/j/w/co/sed/sed/execute.c:1023 #5 0x4e2d09 in execute_program /home/j/w/co/sed/sed/execute.c:1513 #6 0x4e359a in process_files /home/j/w/co/sed/sed/execute.c:1681 #7 0x4d446a in main /home/j/w/co/sed/sed/sed.c:362 #8 0x7f5541c7f57f in __libc_start_main (/lib64/libc.so.6+0x2057f) SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc= :2751 in __interceptor_wcrtomb Shadow bytes around the buggy address: 0x0c0c7fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =3D>0x0c0c7fff9db0: 00 00 00 00 00 00[02]fa fa fa fa fa 00 00 00 00 0x0c0c7fff9dc0: 00 00 02 fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c0c7fff9dd0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c0c7fff9de0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd 0x0c0c7fff9df0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa --047d7bd75c3abfb6a70527234b5a Content-Type: text/x-patch; charset=UTF-8; name="0001-sed-fix-a-heap-clobbering-buffer-overrun.patch" Content-Disposition: attachment; filename="0001-sed-fix-a-heap-clobbering-buffer-overrun.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_iib33mfp0 RnJvbSA3MzYxMTQ2ZGI3MGQ3NjE4OTQzY2JhNTcyMjA0NWY0OWFjMTNhYzQwIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBKaW0gTWV5ZXJpbmcgPG1leWVyaW5nQGZiLmNvbT4KRGF0ZTog RnJpLCAxMSBEZWMgMjAxNSAyMTozMToyOSAtMDgwMApTdWJqZWN0OiBbUEFUQ0hdIHNlZDogZml4 IGEgaGVhcC1jbG9iYmVyaW5nIGJ1ZmZlciBvdmVycnVuCk1JTUUtVmVyc2lvbjogMS4wCkNvbnRl bnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD1VVEYtOApDb250ZW50LVRyYW5zZmVyLUVuY29k aW5nOiA4Yml0CgoqIHNlZC9leGVjdXRlLmMgKHN0cl9hcHBlbmRfbW9kaWZpZWQpOiBVcG9uIGVu Y291bnRlcmluZyBhbgppbmNvbXBsZXRlIG11bHRpLWJ5dGUgc2VxdWVuY2UgaW4gYW4gc3Vic3Rp dHV0aW9uIHJlcGxhY2VtZW50CnN0cmluZyBkbyBub3QgdHJlYXQgbWJydG93YydzIHJldHVybiB2 YWx1ZSBvZiAtMiBhcyBhIGxhcmdlLApwb3NpdGl2ZSBudW1iZXIuCiogdGVzdHN1aXRlL3N1YnN0 LW1iLWluY29tcGxldGUuc2g6IE5ldyBmaWxlL3Rlc3QuCiogdGVzdHN1aXRlL01ha2VmaWxlLmFt IChUKTogQWRkIGl0LgpSZXBvcnRlZCBieSBIYW5ubyBCw7ZjayBpbiBodHRwOi8vZGViYnVncy5n bnUub3JnLzIyMTI3LgpIYW5ubyB1c2VkIHRoZSBBRkwgZnV6emVyIHRvIGZpbmQgdGhlIHNlZ2Zh dWx0LWluZHVjaW5nIGlucHV0CmZyb20gd2hpY2ggSSBkZXJpdmVkIHRoZSB0ZXN0J3MgaW5wdXQu CkludHJvZHVjZWQgYnkgdjQuMi4yLTc2LWc3OGU4ZTU4LCB0aGlzIGJ1ZyB3YXMgbmV2ZXIgaW4g YSByZWxlYXNlLgotLS0KIHNlZC9leGVjdXRlLmMgICAgICAgICAgICAgICAgICAgIHwgIDggKysr Ky0tLS0KIHRlc3RzdWl0ZS9NYWtlZmlsZS5hbSAgICAgICAgICAgIHwgIDEgKwogdGVzdHN1aXRl L3N1YnN0LW1iLWluY29tcGxldGUuc2ggfCAzNCArKysrKysrKysrKysrKysrKysrKysrKysrKysr KysrKysrCiAzIGZpbGVzIGNoYW5nZWQsIDM5IGluc2VydGlvbnMoKyksIDQgZGVsZXRpb25zKC0p CiBjcmVhdGUgbW9kZSAxMDA3NTUgdGVzdHN1aXRlL3N1YnN0LW1iLWluY29tcGxldGUuc2gKCmRp ZmYgLS1naXQgYS9zZWQvZXhlY3V0ZS5jIGIvc2VkL2V4ZWN1dGUuYwppbmRleCA3YmMzOTRhLi41 YmViZmMyIDEwMDY0NAotLS0gYS9zZWQvZXhlY3V0ZS5jCisrKyBiL3NlZC9leGVjdXRlLmMKQEAg LTIzMSwxNSArMjMxLDE1IEBAIHN0cl9hcHBlbmRfbW9kaWZpZWQoc3RydWN0IGxpbmUgKnRvLCBj b25zdCBjaGFyICpzdHJpbmcsIHNpemVfdCBsZW5ndGgsCiAgICAgICAgICAgY29udGludWU7CiAg ICAgICAgIH0KCi0gICAgICBpZiAobiA+IDApCi0gICAgICAgIHN0cmluZyArPSBuLCBsZW5ndGgg LT0gbjsKLSAgICAgIGVsc2UKKyAgICAgIGlmIChuID09IDAgfHwgbiA9PSAoc2l6ZV90KSAtMikK ICAgICAgICAgewotICAgICAgICAgIC8qIEluY29tcGxldGUgc2VxdWVuY2UsIGNvcHkgaXQgbWFu dWFsbHkuICAqLworICAgICAgICAgIC8qIEwnXDAnIG9yIGFuIGluY29tcGxldGUgc2VxdWVuY2U6 IGNvcHkgaXQgbWFudWFsbHkuICAqLwogICAgICAgICAgIHN0cl9hcHBlbmQodG8sIHN0cmluZywg bGVuZ3RoKTsKICAgICAgICAgICByZXR1cm47CiAgICAgICAgIH0KCisgICAgICBzdHJpbmcgKz0g biwgbGVuZ3RoIC09IG47CisKICAgICAgIC8qIENvbnZlcnQgdGhlIGZpcnN0IGNoYXJhY3RlciBz cGVjaWFsbHkuLi4gKi8KICAgICAgIGlmICh0eXBlICYgKFJFUExfVVBQRVJDQVNFX0ZJUlNUIHwg UkVQTF9MT1dFUkNBU0VfRklSU1QpKQogICAgICAgICB7CmRpZmYgLS1naXQgYS90ZXN0c3VpdGUv TWFrZWZpbGUuYW0gYi90ZXN0c3VpdGUvTWFrZWZpbGUuYW0KaW5kZXggMGMwNjVlZC4uYjM3ZTQw MiAxMDA2NDQKLS0tIGEvdGVzdHN1aXRlL01ha2VmaWxlLmFtCisrKyBiL3Rlc3RzdWl0ZS9NYWtl ZmlsZS5hbQpAQCAtMTIsNiArMTIsNyBAQCBUID0JCQkJXAogICBpbi1wbGFjZS1oeXBoZW4uc2gJ CVwKICAgaW52YWxpZC1tYi1zZXEtVU1SLnNoCQlcCiAgIHJhbmdlLW92ZXJsYXAuc2gJCVwKKyAg c3Vic3QtbWItaW5jb21wbGV0ZS5zaAlcCiAgIHRlbXAtZmlsZS1jbGVhbnVwLnNoCgogVEVTVFMg PSAkKGNoZWNrX1BST0dSQU1TKSAkKFNFRFRFU1RTKSAkKFQpCmRpZmYgLS1naXQgYS90ZXN0c3Vp dGUvc3Vic3QtbWItaW5jb21wbGV0ZS5zaCBiL3Rlc3RzdWl0ZS9zdWJzdC1tYi1pbmNvbXBsZXRl LnNoCm5ldyBmaWxlIG1vZGUgMTAwNzU1CmluZGV4IDAwMDAwMDAuLjQxYzZlMTMKLS0tIC9kZXYv bnVsbAorKysgYi90ZXN0c3VpdGUvc3Vic3QtbWItaW5jb21wbGV0ZS5zaApAQCAtMCwwICsxLDM0 IEBACisjIS9iaW4vc2gKKyMgRW5zdXJlIHRoYXQgc2VkIG5vIGxvbmdlciB3cml0ZXMgYmV5b25k IHRoZSBlbmQgb2YgYSBoZWFwIGJ1ZmZlciB3aGVuCisjIHBlcmZvcm1pbmcgYSBzdWJzdGl0dXRp b24gd2l0aCBhIHJlcGxhY2VtZW50IHN0cmluZyBjb250YWluaW5nIGFuCisjIGluY29tcGxldGUg bXVsdGktYnl0ZSBjaGFyYWN0ZXIuCisKKyMgQ29weXJpZ2h0IChDKSAyMDE1IEZyZWUgU29mdHdh cmUgRm91bmRhdGlvbiwgSW5jLgorCisjIFRoaXMgcHJvZ3JhbSBpcyBmcmVlIHNvZnR3YXJlOiB5 b3UgY2FuIHJlZGlzdHJpYnV0ZSBpdCBhbmQvb3IgbW9kaWZ5CisjIGl0IHVuZGVyIHRoZSB0ZXJt cyBvZiB0aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UgYXMgcHVibGlzaGVkIGJ5CisjIHRo ZSBGcmVlIFNvZnR3YXJlIEZvdW5kYXRpb24sIGVpdGhlciB2ZXJzaW9uIDMgb2YgdGhlIExpY2Vu c2UsIG9yCisjIChhdCB5b3VyIG9wdGlvbikgYW55IGxhdGVyIHZlcnNpb24uCisKKyMgVGhpcyBw cm9ncmFtIGlzIGRpc3RyaWJ1dGVkIGluIHRoZSBob3BlIHRoYXQgaXQgd2lsbCBiZSB1c2VmdWws CisjIGJ1dCBXSVRIT1VUIEFOWSBXQVJSQU5UWTsgd2l0aG91dCBldmVuIHRoZSBpbXBsaWVkIHdh cnJhbnR5IG9mCisjIE1FUkNIQU5UQUJJTElUWSBvciBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIg UFVSUE9TRS4gIFNlZSB0aGUKKyMgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UgZm9yIG1vcmUg ZGV0YWlscy4KKworIyBZb3Ugc2hvdWxkIGhhdmUgcmVjZWl2ZWQgYSBjb3B5IG9mIHRoZSBHTlUg R2VuZXJhbCBQdWJsaWMgTGljZW5zZQorIyBhbG9uZyB3aXRoIHRoaXMgcHJvZ3JhbS4gIElmIG5v dCwgc2VlIDxodHRwOi8vd3d3LmdudS5vcmcvbGljZW5zZXMvPi4KKy4gIiR7c3JjZGlyPS59L2lu aXQuc2giOyBwYXRoX3ByZXBlbmRfIC4uL3NlZAorcHJpbnRfdmVyXyBzZWQKKworcmVxdWlyZV9l bl91dGY4X2xvY2FsZV8KKworZWNobyA+IGluIHx8IGZyYW1ld29ya19mYWlsdXJlXworcHJpbnRm ICdcMjMzXDM3NVwyMDBcbicgPiBleHAtb3V0IHx8IGZyYW1ld29ya19mYWlsdXJlXworCitmYWls PTAKK0xDX0FMTD1lbl9VUy51dGY4IHNlZCAkKHByaW50ZiAncy9eL1xcTFwyMzNcMzc1XFxcMjAw LycpIGluID4gb3V0IDI+IGVycgorCitjb21wYXJlIGV4cC1vdXQgb3V0IHx8IGZhaWw9MQorY29t cGFyZSAvZGV2L251bGwgZXJyIHx8IGZhaWw9MQorCitFeGl0ICRmYWlsCi0tIAoyLjYuMgoK --047d7bd75c3abfb6a70527234b5a-- From unknown Mon Jun 23 13:15:28 2025 X-Loop: help-debbugs@gnu.org Subject: bug#22127: Segfault / null pointer access in function str_append_modified() Resent-From: Assaf Gordon Original-Sender: "Debbugs-submit" Resent-CC: bug-sed@gnu.org Resent-Date: Sat, 28 Jan 2017 23:12:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 22127 X-GNU-PR-Package: sed X-GNU-PR-Keywords: To: Jim Meyering Cc: Hanno =?UTF-8?Q?B=C3=B6ck?= , 22127@debbugs.gnu.org Received: via spool by 22127-submit@debbugs.gnu.org id=B22127.148564510523021 (code B ref 22127); Sat, 28 Jan 2017 23:12:01 +0000 Received: (at 22127) by debbugs.gnu.org; 28 Jan 2017 23:11:45 +0000 Received: from localhost ([127.0.0.1]:49495 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cXc9o-0005zE-S2 for submit@debbugs.gnu.org; Sat, 28 Jan 2017 18:11:45 -0500 Received: from mail-qk0-f196.google.com ([209.85.220.196]:36422) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cXc9l-0005yw-UE; Sat, 28 Jan 2017 18:11:43 -0500 Received: by mail-qk0-f196.google.com with SMTP id i34so11344841qkh.3; Sat, 28 Jan 2017 15:11:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=PeFZwj1lgLCiQ93hwJKeqO6BsYIZ+JUT75yA6Y7DPxs=; b=aUy3rdoP+MNJa02wDf6Aiaegn/XjA+mjt2G0LoBL66lST2iyEsaymb6/fSArrf+J47 b4OMoiXXysjFgjxzGyYZYg2rbTNR26yaG6MLTQ66NNfUpSmpJbP4fFbAwBUOa5MNtt5l ocuhf/w1tNF0xv+F8n81KLWmiYi4toRFmHjvoLKA50jk/qqZXARapUcJrY2eHz3tuxRi sa4pR5iolIHwRgCVz7kTrv38Ii4m6nY5HCw3kqWqMMtVIKI2RtZGnncmA5V6Zr6n5qBT GPByPQtIuXe57+HLak+K09U7E/qEQ8EZ7CrhzFgbPRn48goUmoEiEQWyRBXetPlTrWTP QBqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=PeFZwj1lgLCiQ93hwJKeqO6BsYIZ+JUT75yA6Y7DPxs=; b=pGkWTgC9YvraxQo+B4h96COKG/zyNOdNDoVArpEFOyMXEudZ9+k6NeDNM44fFCQqPk 9oFtX8xWykYBTuWk/EEolHEKOzl9ywTrgMN3aC3H6N9+l4Y3J8oQHQyc8KtaQBxlu/5/ aan4yAS89KXuAYdsB7ASZ2X6p/dcoBeGpPkJmpSJ45WdS6Ydf6v7hsSHvqB0TIoRrVFk zcxLXIt86bCrsuke6XX8RBSaJyP5QYnr6HvL5SEbafV2Wmb31tZLOat501h+NOury8Xg aqgV/lf/pjqexbHGDy+rm9sqIaiQ9riZEpbv2/PlAHCGSb4AkA4KeFNjnMsNDhta3eJ2 Yrtw== X-Gm-Message-State: AIkVDXK4wJ9E6JvKwzrfzFRgrN/tVNfYGLbGgpBC75Q4MJ09t08tCwlO0VbY70sXcf7L+w== X-Received: by 10.55.138.196 with SMTP id m187mr15454882qkd.210.1485645096565; Sat, 28 Jan 2017 15:11:36 -0800 (PST) Received: from gmail.com (housegordon.org. [104.236.108.240]) by smtp.gmail.com with ESMTPSA id b190sm7799141qkg.32.2017.01.28.15.11.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 28 Jan 2017 15:11:35 -0800 (PST) Date: Sat, 28 Jan 2017 23:11:06 +0000 From: Assaf Gordon Message-ID: <20170128231105.GD8951@gmail.com> References: <20151209124211.0e77e6aa@pc1> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Score: -0.2 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.2 (/) tags 22172 fixed close 22172 stop Hello, On Thu, Dec 17, 2015 at 06:56:51PM -0800, Jim Meyering wrote: >On Wed, Dec 9, 2015 at 3:42 AM, Hanno Böck wrote: >> With a malformed input (see attachmend) sed can crash in the function >> str_append_modified() > >Thank you for the report. >I've reduced it to the following one-liner (demonstrating >failure with an ASAN-enabled binary), and have attached >a patch: The fix was pushed here: http://git.savannah.gnu.org/cgit/sed.git/commit/?id=67b3fcc980 and was included in sed-4.3. I'm marking this as fixed and closing the bug. regards, - assaf From debbugs-submit-bounces@debbugs.gnu.org Thu Feb 16 18:01:57 2017 Received: (at control) by debbugs.gnu.org; 16 Feb 2017 23:01:57 +0000 Received: from localhost ([127.0.0.1]:42785 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ceV3k-0006E7-Sz for submit@debbugs.gnu.org; Thu, 16 Feb 2017 18:01:57 -0500 Received: from mail-qt0-f170.google.com ([209.85.216.170]:32871) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ceV3j-000690-Rh for control@debbugs.gnu.org; Thu, 16 Feb 2017 18:01:56 -0500 Received: by mail-qt0-f170.google.com with SMTP id v23so27885493qtb.0 for ; Thu, 16 Feb 2017 15:01:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mime-version:content-disposition :user-agent; bh=0sNrW1nIxzNfo2H1ubVy2W9LGZZQV2mWuRcDX5e+SLU=; b=Dh4n/oKX6UzqcAXsdlmS9fjMAiFHwQp5v0M90zIncMf/xwcwpMcLFQFCCeJwVRae1t BOZDAcworDYiLj6CuyIQpCzIs1O44sd/5A2+e9FaOJqa94pAhLnWpM87tkzq5KADfLW2 9iwu2ONJ4lw+u/VQIhieTCThgY5DGPHgjLXaqMG3VyGr4eix9GeKtCpPFzCwtdposSaE EqTuRjNgplj3ZfL1uwomVETNyATp60B8sMUZLzvOWYDmQ3wXbO9ZUO7+swhxAL+Pwhq4 90m8y8MlxYzVMN/zE0mBifBUPmAcbQEOADxHTyS9p2teIrroQhr6CRGxvSJt2rEYs+9V 8y9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:user-agent; bh=0sNrW1nIxzNfo2H1ubVy2W9LGZZQV2mWuRcDX5e+SLU=; b=Wa8V0GwXBBac/7/USaRKsDqIvblgLCnQkkZ/prqvtZ0+TA6jEF4uTaA8MTNdBG9sB3 rhOB4iboQfKfkADZ0Zb7KHpVy7PuAJ3fJ+RNXJwXeaxCAOChWEt3eVgXLXXbYEC6ItAb 9CDZo1WOeEcA5Q6zDFGpxyMz8x4BVldT6fINu1RoBDwziMNMTd9wLmOsCBHnMe6KAi6t Z2MLS4cJxzIfL6BYa4JlD2BovCNXRDXlJDXut4G+8VEgBb7LKqRd7mjqxtUHmSkdhOP6 rph2Pp2y67wr88mXkH+JkttxU1MhKfVMQ44WSZhnkkeDNoXXrO6Lz3efm4+xNKGO4fzJ +9bg== X-Gm-Message-State: AMke39l4vebZ4UwodiDBPHoqZSZmnGlH8Rb1h8gnbt5/AWNRAB0sg5Y4HpOxM7kGuQgxgA== X-Received: by 10.200.52.197 with SMTP id x5mr5070985qtb.31.1487286110230; Thu, 16 Feb 2017 15:01:50 -0800 (PST) Received: from gmail.com (housegordon.org. [104.236.108.240]) by smtp.gmail.com with ESMTPSA id h184sm5298341qkf.68.2017.02.16.15.01.49 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 16 Feb 2017 15:01:49 -0800 (PST) Date: Thu, 16 Feb 2017 23:01:20 +0000 From: Assaf Gordon To: control@debbugs.gnu.org Subject: bug 22127 Message-ID: <20170216230119.GC31549@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Score: -0.2 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.2 (/) tags 22127 fixed close 22127 stop