From unknown Mon Aug 18 14:26:29 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#22489 <22489@debbugs.gnu.org> To: bug#22489 <22489@debbugs.gnu.org> Subject: Status: A bug in tail.c Reply-To: bug#22489 <22489@debbugs.gnu.org> Date: Mon, 18 Aug 2025 21:26:29 +0000 retitle 22489 A bug in tail.c reassign 22489 coreutils submitter 22489 Lei Wang severity 22489 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Fri Jan 29 11:40:08 2016 Received: (at submit) by debbugs.gnu.org; 29 Jan 2016 16:40:08 +0000 Received: from localhost ([127.0.0.1]:40742 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aPC5f-0002qi-Qy for submit@debbugs.gnu.org; Fri, 29 Jan 2016 11:40:08 -0500 Received: from eggs.gnu.org ([208.118.235.92]:35045) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aP8KC-0005bz-1N for submit@debbugs.gnu.org; Fri, 29 Jan 2016 07:38:52 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aP8K5-0006HK-PB for submit@debbugs.gnu.org; Fri, 29 Jan 2016 07:38:46 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: * X-Spam-Status: No, score=1.3 required=5.0 tests=BAYES_50,FREEMAIL_FROM, FROM_LOCAL_NOVOWEL,HK_RANDOM_ENVFROM,HTML_MESSAGE,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:52643) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aP8K5-0006HA-Mc for submit@debbugs.gnu.org; Fri, 29 Jan 2016 07:38:45 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54234) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aP8K4-0007UC-N2 for bug-coreutils@gnu.org; Fri, 29 Jan 2016 07:38:45 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aP8K0-0006Eb-Sv for bug-coreutils@gnu.org; Fri, 29 Jan 2016 07:38:44 -0500 Received: from mail-ig0-x236.google.com ([2607:f8b0:4001:c05::236]:36219) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aP8K0-0006E2-Nx for bug-coreutils@gnu.org; Fri, 29 Jan 2016 07:38:40 -0500 Received: by mail-ig0-x236.google.com with SMTP id z14so35621638igp.1 for ; Fri, 29 Jan 2016 04:38:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=sZwjOrxjRWkzLhgZIBFnqIkQAG/f+KO86XcvxxkwzWI=; b=bg+2/C0/laPVQ0kEUsgij43C1Kg/mxYhSUwstSAZ61ncvAmK8QkmiBMQycU5bpVjba cB5gcj1BOY0mZ5G7oJUyQPJfTXFXevVLo2DuKor4Mj8azteNOEA8IXM//+RGrh35BHIX hqcFqmpmb7+rwZ7zVj/bIiQoEwN95deUVY6GvvjkkvT4zHaIso+rC25k9Q85lwSbBl7v GI71IA8Y84XaSbx6u6tZysVUXLGfu71axlgfv6C2D176zqIiunmC+RM1bxh7F/+oMuqe kFJ3Hgxg5fgdot56/WLqghD4QX53CzJ6o6Fh3NIBwXEtZjVNEpmDmYr8Y7inMkcS8HtN rCkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=sZwjOrxjRWkzLhgZIBFnqIkQAG/f+KO86XcvxxkwzWI=; b=RPYWzY5l7egYEZTjrsag4Jrzp8Htf450qFDFFdP3bv4cUHZ0pbN8ZkNDsGtrtwmzIk GFV4Q/wrv5oPuI0tcWk9fsVRrbN+b6d0VRE4hMDB/4Gh277uj6GXkwmZXch582nKHyLE ggTwvRT/xlR2YRZ5aFckdc7zxUVpkq2G5uwCjv5V9CG57UJqcTtzJW3o0AQfmNp/EPfH GAqvjm3uzxh8mii9nmNko4EDhtQ+qdNmW3ibfNwPkXViJpBbSQGp8OmDX0Y1fnTspyQg 55y31d2trwu1xSb/HhVVzF8/HOOtT600QV1DnPMXlv/Fpy/bPMiVtu5QpGMgS4sAWViO UqMA== X-Gm-Message-State: AG10YOR8GU2n2iivy1Pvi3JsaOZJqn6Pdo1IGYfHXrpyFwZ+o8E2pcIRTK/1Rvk/47WJfQDGZj3Ay/tLTB871A== MIME-Version: 1.0 X-Received: by 10.50.155.67 with SMTP id vu3mr2213721igb.50.1454071119904; Fri, 29 Jan 2016 04:38:39 -0800 (PST) Received: by 10.50.122.35 with HTTP; Fri, 29 Jan 2016 04:38:39 -0800 (PST) Date: Fri, 29 Jan 2016 20:38:39 +0800 Message-ID: Subject: A bug in tail.c From: Lei Wang To: bug-coreutils@gnu.org Content-Type: multipart/alternative; boundary=001a1134dbec948b44052a7850d8 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -2.9 (--) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Fri, 29 Jan 2016 11:40:06 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.9 (--) --001a1134dbec948b44052a7850d8 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Version: GNU Coreutils 8.20-8.25 =E2=80=8B File: tail.c Bug description: Line 1979, parse_obsolete_option() function has three parameters: argc, argv, n_units. We only need to focus on argc and argv, which is from the main() function. Line 1992 filter the argc and argv. When argc=3D=3D2, l= ine 1998 p =3D argv[1], line 2000 *p++, then *p=3Dargv[1][1], line 2026 while (ISDIGIT (*p)) access p. There is one condition can lead to program overflow, thus argc=3D=3D2 and argv[1] has only one character, for example ./tail x , will access the next character after x, this maybe a bug, but can not lead program crash. --WangLei --001a1134dbec948b44052a7850d8 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Version: GNU Coreutils 8.20-8.25 =E2=80=8B
File: tail.c
Bug desc= ription:=C2=A0
Line 1979, =C2=A0parse_obsolete_option() funct= ion =C2=A0has three parameters: argc, argv,=C2=A0n_units.=C2=A0=C2=A0We only need to= focus on argc and argv, which is from the main() function. Line 1992 =C2= =A0filter =C2=A0the = argc and argv. When argc=3D=3D2, =C2=A0line 1998=C2=A0p =3D argv[1], line 2= 000 *p++, then *p=3Dargv[1][1], line 2026=C2=A0while (ISDIGIT (*p)) access = p. There is one condition can lead to program overflow, thus argc=3D=3D2 an= d argv[1] has only one=C2=A0character, for example ./tail x , will access t= he next character after x, this maybe a bug, but can not lead program crash= .
--WangLei
--001a1134dbec948b44052a7850d8-- From debbugs-submit-bounces@debbugs.gnu.org Fri Jan 29 13:30:06 2016 Received: (at 22489-done) by debbugs.gnu.org; 29 Jan 2016 18:30:06 +0000 Received: from localhost ([127.0.0.1]:40787 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aPDo6-00077i-9P for submit@debbugs.gnu.org; Fri, 29 Jan 2016 13:30:06 -0500 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:52562) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aPDo4-00075z-Qd for 22489-done@debbugs.gnu.org; Fri, 29 Jan 2016 13:30:05 -0500 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id C9E18160D71; Fri, 29 Jan 2016 10:29:58 -0800 (PST) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id EJS6iQIpp3Kf; Fri, 29 Jan 2016 10:29:58 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 2DBCA160E40; Fri, 29 Jan 2016 10:29:58 -0800 (PST) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id rdFqlt_d67hp; Fri, 29 Jan 2016 10:29:58 -0800 (PST) Received: from penguin.cs.ucla.edu (Penguin.CS.UCLA.EDU [131.179.64.200]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 176A2160D71; Fri, 29 Jan 2016 10:29:58 -0800 (PST) Subject: Re: bug#22489: A bug in tail.c To: Lei Wang , 22489-done@debbugs.gnu.org References: From: Paul Eggert Organization: UCLA Computer Science Department Message-ID: <56ABAFA5.40807@cs.ucla.edu> Date: Fri, 29 Jan 2016 10:29:57 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 22489-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) On 01/29/2016 04:38 AM, Lei Wang wrote: > There is one condition can lead to program > overflow, thus argc==2 and argv[1] has only one character, for example > ./tail x , will access the next character after x, this maybe a bug I don't see a bug there. The next character is a null byte, and ISDIGIT ('\0') is false so the code should do the right thing. I don't think there is a test case that illustrates wrong behavior, but if I'm wrong please reply with a test case (a shell command invoking 'tail') and I'll reopen the bug report. From debbugs-submit-bounces@debbugs.gnu.org Fri Jan 29 14:12:40 2016 Received: (at 22489) by debbugs.gnu.org; 29 Jan 2016 19:12:40 +0000 Received: from localhost ([127.0.0.1]:40815 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aPETI-00088E-Bt for submit@debbugs.gnu.org; Fri, 29 Jan 2016 14:12:40 -0500 Received: from mail-qk0-f176.google.com ([209.85.220.176]:35184) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aPETG-000880-Eb for 22489@debbugs.gnu.org; Fri, 29 Jan 2016 14:12:38 -0500 Received: by mail-qk0-f176.google.com with SMTP id o6so28254894qkc.2 for <22489@debbugs.gnu.org>; Fri, 29 Jan 2016 11:12:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=nsqAkq62HJS1BCyKVDJFvrUVlrfUxY1WL2hVmDeYFOQ=; b=EegHkytNVNxfZm2h+jVDJKa2Qt2VRGd08bNomxR43nO55nTJGgr51zQ1IwGIE5bhDH YP0PWPAGN9jtSFyiHMBW2V3GnOuZ4QnlX5WN5VirsLhau2R4/stF2apE5SNfqc4QXkUw Un75QTU5xGg+BI7rsCv0WN7E+vkT+wVzW7hHIOPd2YWCy4qBUMqXu21fO+b/g9ealeLB z9G194DjAbAtYHeu8KGkVH8cU2rQ3RjSX9Kf9dEYULjl1POobQT0Ly+zi+XAF/j5ABHv /fXvEynSPV92SbpsDAjhaAEacVi12Pg45BLp8eeMxJUeBQsWw3eCSqdz9AXrEXl0j4o+ lrWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=nsqAkq62HJS1BCyKVDJFvrUVlrfUxY1WL2hVmDeYFOQ=; b=LtKfhhBYRovICvkP4KlgpRdT9CXd/suuOwMfHDM00uoh68C7fcqXG0XLF/PlSikVMt 72BL+yFRDpT32gUZTtF2OEad5lMvUnobUO0xT1paQNPE6VJ0X7ilmSDRmHREZtDT0xlu qhGQfVP+JcENBSbOjU84ip03fS8mx+DW7iWAe0oyoITOt7aHsMel/PzbpQKYG7d2wKIc 0uqIyP4uwv7W7uGYezppMsvQBHHYvMVQw+xwRq/meb2OJ8l4Jhi2BatRtWg3peqVaPlE 9Bgwiwr2Ek2qm3r2WWPTGoSvzgUhfnwyu2K1ua0mQwKEP78LvwxyBWeZcmdk9mgXIJP+ EnsA== X-Gm-Message-State: AG10YOTHoVO4HZzaoQ0xZ/y7ElpRHZCsWTff7THHI0lJ89mo2g+AYz0t6e9yhxvyR8om+Q== X-Received: by 10.55.198.14 with SMTP id b14mr13267096qkj.4.1454094753162; Fri, 29 Jan 2016 11:12:33 -0800 (PST) Received: from disco.erlich.nygenome.org ([69.74.14.178]) by smtp.googlemail.com with ESMTPSA id y99sm3349875qge.3.2016.01.29.11.12.32 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 29 Jan 2016 11:12:32 -0800 (PST) Subject: Re: bug#22489: A bug in tail.c To: Lei Wang , 22489@debbugs.gnu.org References: From: Assaf Gordon Message-ID: <56ABBA08.1050508@gmail.com> Date: Fri, 29 Jan 2016 14:14:16 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 22489 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) tag 22489 notabug close 22489 stop Hello WangLei, Thank you for the report, however this is not a bug. On 01/29/2016 07:38 AM, Lei Wang wrote: > Version: GNU Coreutils 8.20-8.25 ​ > File: tail.c > Bug description: > Line 1979, parse_obsolete_option() function has three parameters: argc, > argv, n_units. We only need to focus on argc and argv, which is from the > main() function. Line 1992 filter the argc and argv. When argc==2, line > 1998 p = argv[1], line 2000 *p++, then *p=argv[1][1], line 2026 while > (ISDIGIT (*p)) access p. There is one condition can lead to program > overflow, thus argc==2 and argv[1] has only one character, for example > ./tail x , will access the next character after x, this maybe a bug, but > can not lead program crash. > --WangLei > Case 1: based on your scenario of './tail x' , in tail.c:2000, the value of (*p++) is the character 'x'. The switch statement will therefore go to the 'default' case and return immediately (line 2003). Case 2: if it is run with './tail -', the value of (*p++) in tail.c:2000 is '-', and the corresponding case will 'return false' because "obsolete_usage" is false (line 2008). Case 3: if it is run with '_POSIX2_VERSION=100 ./tail -' , the flow will indeed progress to line 2026 . But note that the original value 'p' points to a null-terminated string, which contains "-\0" . Advancing 'p' with (*p++) means '*p' is a non-null pointer, pointing to a NUL character (ascii 0x00). thus, checking 'ISDIGIT(*p)' is valid and does not cause any problem. If you have a different case in mind, please reply to this thread and an example. I'm therefor closing the bug, but discussion can continue. regards, - assaf From unknown Mon Aug 18 14:26:29 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 27 Feb 2016 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator