GNU bug report logs - #22489
A bug in tail.c

Previous Next

Package: coreutils;

Reported by: Lei Wang <wangcppclei <at> gmail.com>

Date: Fri, 29 Jan 2016 16:41:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 22489 in the body.
You can then email your comments to 22489 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-coreutils <at> gnu.org:
bug#22489; Package coreutils. (Fri, 29 Jan 2016 16:41:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Lei Wang <wangcppclei <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-coreutils <at> gnu.org.

Your message had a Version: pseudo-header with an invalid package version:

GNU Coreutils 8.20-8.25 ​

please either use found or fixed to the control server with a correct version, or reply to this report indicating the correct version so the maintainer (or someone else) can correct it for you.

(Fri, 29 Jan 2016 16:41:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Lei Wang <wangcppclei <at> gmail.com>
To: bug-coreutils <at> gnu.org
Subject: A bug in tail.c
Date: Fri, 29 Jan 2016 20:38:39 +0800

[Message part 1 (text/plain, inline)]
Version: GNU Coreutils 8.20-8.25 ​
File: tail.c
Bug description:
Line 1979,  parse_obsolete_option() function  has three parameters: argc,
argv, n_units.  We only need to focus on argc and argv, which is from the
main() function. Line 1992  filter  the argc and argv. When argc==2,  line
1998 p = argv[1], line 2000 *p++, then *p=argv[1][1], line 2026 while
(ISDIGIT (*p)) access p. There is one condition can lead to program
overflow, thus argc==2 and argv[1] has only one character, for example
./tail x , will access the next character after x, this maybe a bug, but
can not lead program crash.
--WangLei

[Message part 2 (text/html, inline)]
Reply sent to Paul Eggert <eggert <at> cs.ucla.edu>:
You have taken responsibility. (Fri, 29 Jan 2016 18:31:02 GMT) Full text and rfc822 format available.
Notification sent to Lei Wang <wangcppclei <at> gmail.com>:
bug acknowledged by developer. (Fri, 29 Jan 2016 18:31:02 GMT) Full text and rfc822 format available.

Message #10 received at 22489-done <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Lei Wang <wangcppclei <at> gmail.com>, 22489-done <at> debbugs.gnu.org
Subject: Re: bug#22489: A bug in tail.c
Date: Fri, 29 Jan 2016 10:29:57 -0800

On 01/29/2016 04:38 AM, Lei Wang wrote:
> There is one condition can lead to program
> overflow, thus argc==2 and argv[1] has only one character, for example
> ./tail x , will access the next character after x, this maybe a bug

I don't see a bug there. The next character is a null byte, and ISDIGIT 
('\0') is false so the code should do the right thing. I don't think 
there is a test case that illustrates wrong behavior, but if I'm wrong 
please reply with a test case (a shell command invoking 'tail') and I'll 
reopen the bug report.
Information forwarded to bug-coreutils <at> gnu.org:
bug#22489; Package coreutils. (Fri, 29 Jan 2016 19:13:01 GMT) Full text and rfc822 format available.

Message #13 received at 22489 <at> debbugs.gnu.org (full text, mbox):

From: Assaf Gordon <assafgordon <at> gmail.com>
To: Lei Wang <wangcppclei <at> gmail.com>, 22489 <at> debbugs.gnu.org
Subject: Re: bug#22489: A bug in tail.c
Date: Fri, 29 Jan 2016 14:14:16 -0500

tag 22489 notabug
close 22489
stop

Hello WangLei,

Thank you for the report, however this is not a bug.

On 01/29/2016 07:38 AM, Lei Wang wrote:
> Version: GNU Coreutils 8.20-8.25 ​
> File: tail.c
> Bug description:
> Line 1979,  parse_obsolete_option() function  has three parameters: argc,
> argv, n_units.  We only need to focus on argc and argv, which is from the
> main() function. Line 1992  filter  the argc and argv. When argc==2,  line
> 1998 p = argv[1], line 2000 *p++, then *p=argv[1][1], line 2026 while
> (ISDIGIT (*p)) access p. There is one condition can lead to program
> overflow, thus argc==2 and argv[1] has only one character, for example
> ./tail x , will access the next character after x, this maybe a bug, but
> can not lead program crash.
> --WangLei
>

Case 1:
based on your scenario of './tail x' , in tail.c:2000, the value of (*p++) is the character 'x'.
The switch statement will therefore go to the 'default' case and return immediately (line 2003).

Case 2:
if it is run with './tail -', the value of (*p++) in tail.c:2000 is '-', and the corresponding case will 'return false' because "obsolete_usage" is false (line 2008).

Case 3:
if it is run with '_POSIX2_VERSION=100 ./tail -' , the flow will indeed progress to line 2026 .
But note that the original value 'p' points to a null-terminated string, which contains "-\0" .
Advancing 'p' with (*p++) means '*p' is a non-null pointer, pointing to a NUL character (ascii 0x00).
thus, checking 'ISDIGIT(*p)' is valid and does not cause any problem.


If you have a different case in mind, please reply to this thread and an example.

I'm therefor closing the bug, but discussion can continue.

regards,
 - assaf
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 27 Feb 2016 12:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 9 years and 174 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.