GNU bug report logs - #25390
Segfault with sed 4.3

Previous Next

Package: sed;

Reported by: "S. Gilles" <sgilles <at> math.umd.edu>

Date: Sun, 8 Jan 2017 07:09:01 UTC

Severity: normal

Tags: fixed

Done: Assaf Gordon <assafgordon <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Assaf Gordon <assafgordon <at> gmail.com>
To: "S. Gilles" <sgilles <at> math.umd.edu>
Cc: 25390 <at> debbugs.gnu.org, "bug-gnulib <at> gnu.org List" <bug-gnulib <at> gnu.org>
Subject: bug#25390: Segfault with sed 4.3
Date: Sun, 8 Jan 2017 12:01:11 -0500

Hello,

> On Jan 8, 2017, at 00:31, S. Gilles <sgilles <at> math.umd.edu> wrote:
> 
>> I have a reliable segfault with (vanilla) sed 4.3 which does not appear
>> on (vanilla) 4.2.2.

Thank you for the report!
I can confirm the segfault is reproducible.
The immediate cause is somewhere in gnulib's DFA module.

A shorter example:

  printf '$LINENO $LINEN\nB\n' | sed -e 'N;s/\$LINENO\(.*\n\)/\1/'

====
$ printf '$LINENO $LINEN\nB\n' > in.txt
$ printf '%s\n' 'N;s/\$LINENO\(.*\n\)/\1/' > prog.sed
$ gdb ./sed/sed
(gdb) r -f prog.sed in.txt
Starting program: /home/gordon/projects/sed/sed/sed -f prog.sed in.txt

Program received signal SIGSEGV, Segmentation fault.
0x0000000000412384 in dfaexec_main (d=0x6250b0, begin=0x623b50 "$LINENO $LINEN\nB\n", end=0x623b60 "\n", 
    allow_nl=true, count=0x0, multibyte=false) at lib/dfa.c:3169
3169                  s1 = t[*p++];
(gdb) bt
#0  0x0000000000412384 in dfaexec_main (d=0x6250b0, begin=0x623b50 "$LINENO $LINEN\nB\n", 
    end=0x623b60 "\n", allow_nl=true, count=0x0, multibyte=false) at lib/dfa.c:3169
#1  0x0000000000412833 in dfaexec_sb (d=0x6250b0, begin=0x623b50 "$LINENO $LINEN\nB\n", 
    end=0x623b60 "\n", allow_nl=true, count=0x0, backref=0x7fffffffbff7) at lib/dfa.c:3266
#2  0x00000000004128a5 in dfaexec (d=0x6250b0, begin=0x623b50 "$LINENO $LINEN\nB\n", end=0x623b60 "\n", 
    allow_nl=true, count=0x0, backref=0x7fffffffbff7) at lib/dfa.c:3287
#3  0x0000000000409359 in match_regex (regex=0x623c10, buf=0x623b50 "$LINENO $LINEN\nB\n", buflen=16, 
    buf_start_offset=0, regarray=0x61ff10 <regs>, regsize=2) at sed/regexp.c:345
#4  0x0000000000407859 in do_subst (sub=0x622500) at sed/execute.c:1030
#5  0x00000000004086d4 in execute_program (vec=0x6224d0, input=0x7fffffffe170) at sed/execute.c:1517
#6  0x0000000000408abc in process_files (the_program=0x6224d0, argv=0x7fffffffe3c0) at sed/execute.c:1687
#7  0x0000000000409d88 in main (argc=4, argv=0x7fffffffe3a8) at sed/sed.c:377
===


Looking into it, hope to have fix soon.


regards,
 - assaf
This bug report was last modified 8 years and 120 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.