GNU bug report logs - #22489
A bug in tail.c

Previous Next

Package: coreutils;

Reported by: Lei Wang <wangcppclei <at> gmail.com>

Date: Fri, 29 Jan 2016 16:41:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

Message #13 received at 22489 <at> debbugs.gnu.org (full text, mbox):

From: Assaf Gordon <assafgordon <at> gmail.com>
To: Lei Wang <wangcppclei <at> gmail.com>, 22489 <at> debbugs.gnu.org
Subject: Re: bug#22489: A bug in tail.c
Date: Fri, 29 Jan 2016 14:14:16 -0500

tag 22489 notabug
close 22489
stop

Hello WangLei,

Thank you for the report, however this is not a bug.

On 01/29/2016 07:38 AM, Lei Wang wrote:
> Version: GNU Coreutils 8.20-8.25 ​
> File: tail.c
> Bug description:
> Line 1979,  parse_obsolete_option() function  has three parameters: argc,
> argv, n_units.  We only need to focus on argc and argv, which is from the
> main() function. Line 1992  filter  the argc and argv. When argc==2,  line
> 1998 p = argv[1], line 2000 *p++, then *p=argv[1][1], line 2026 while
> (ISDIGIT (*p)) access p. There is one condition can lead to program
> overflow, thus argc==2 and argv[1] has only one character, for example
> ./tail x , will access the next character after x, this maybe a bug, but
> can not lead program crash.
> --WangLei
>

Case 1:
based on your scenario of './tail x' , in tail.c:2000, the value of (*p++) is the character 'x'.
The switch statement will therefore go to the 'default' case and return immediately (line 2003).

Case 2:
if it is run with './tail -', the value of (*p++) in tail.c:2000 is '-', and the corresponding case will 'return false' because "obsolete_usage" is false (line 2008).

Case 3:
if it is run with '_POSIX2_VERSION=100 ./tail -' , the flow will indeed progress to line 2026 .
But note that the original value 'p' points to a null-terminated string, which contains "-\0" .
Advancing 'p' with (*p++) means '*p' is a non-null pointer, pointing to a NUL character (ascii 0x00).
thus, checking 'ISDIGIT(*p)' is valid and does not cause any problem.


If you have a different case in mind, please reply to this thread and an example.

I'm therefor closing the bug, but discussion can continue.

regards,
 - assaf
This bug report was last modified 9 years and 174 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.