GNU bug report logs - #22489
A bug in tail.c

Previous Next

Package: coreutils;

Reported by: Lei Wang <wangcppclei <at> gmail.com>

Date: Fri, 29 Jan 2016 16:41:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Lei Wang <wangcppclei <at> gmail.com>
Subject: bug#22489: closed (Re: bug#22489: A bug in tail.c)
Date: Fri, 29 Jan 2016 18:31:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#22489: A bug in tail.c

which was filed against the coreutils package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 22489 <at> debbugs.gnu.org.

-- 
22489: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22489
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Lei Wang <wangcppclei <at> gmail.com>, 22489-done <at> debbugs.gnu.org
Subject: Re: bug#22489: A bug in tail.c
Date: Fri, 29 Jan 2016 10:29:57 -0800

On 01/29/2016 04:38 AM, Lei Wang wrote:
> There is one condition can lead to program
> overflow, thus argc==2 and argv[1] has only one character, for example
> ./tail x , will access the next character after x, this maybe a bug

I don't see a bug there. The next character is a null byte, and ISDIGIT 
('\0') is false so the code should do the right thing. I don't think 
there is a test case that illustrates wrong behavior, but if I'm wrong 
please reply with a test case (a shell command invoking 'tail') and I'll 
reopen the bug report.


[Message part 3 (message/rfc822, inline)]
From: Lei Wang <wangcppclei <at> gmail.com>
To: bug-coreutils <at> gnu.org
Subject: A bug in tail.c
Date: Fri, 29 Jan 2016 20:38:39 +0800

[Message part 4 (text/plain, inline)]
Version: GNU Coreutils 8.20-8.25 ​
File: tail.c
Bug description:
Line 1979,  parse_obsolete_option() function  has three parameters: argc,
argv, n_units.  We only need to focus on argc and argv, which is from the
main() function. Line 1992  filter  the argc and argv. When argc==2,  line
1998 p = argv[1], line 2000 *p++, then *p=argv[1][1], line 2026 while
(ISDIGIT (*p)) access p. There is one condition can lead to program
overflow, thus argc==2 and argv[1] has only one character, for example
./tail x , will access the next character after x, this maybe a bug, but
can not lead program crash.
--WangLei

[Message part 5 (text/html, inline)]
This bug report was last modified 9 years and 176 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.