From unknown Fri Aug 15 16:18:18 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#39165 <39165@debbugs.gnu.org> To: bug#39165 <39165@debbugs.gnu.org> Subject: Status: [PATCH] sed: handle very long execution lines Reply-To: bug#39165 <39165@debbugs.gnu.org> Date: Fri, 15 Aug 2025 23:18:18 +0000 retitle 39165 [PATCH] sed: handle very long execution lines reassign 39165 sed submitter 39165 Tobias Stoeckmann severity 39165 normal tag 39165 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Fri Jan 17 15:49:51 2020 Received: (at submit) by debbugs.gnu.org; 17 Jan 2020 20:49:51 +0000 Received: from localhost ([127.0.0.1]:40204 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1isYYu-0006Oy-N2 for submit@debbugs.gnu.org; Fri, 17 Jan 2020 15:49:51 -0500 Received: from lists.gnu.org ([209.51.188.17]:51081) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1isYYr-0006Oo-2m for submit@debbugs.gnu.org; Fri, 17 Jan 2020 15:49:47 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:48930) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1isYYo-000668-Ea for bug-sed@gnu.org; Fri, 17 Jan 2020 15:49:44 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,RCVD_IN_DNSWL_NONE, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1isYYl-0008DN-NZ for bug-sed@gnu.org; Fri, 17 Jan 2020 15:49:42 -0500 Received: from mout.kundenserver.de ([217.72.192.75]:39933) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1isYYl-00089x-EK for bug-sed@gnu.org; Fri, 17 Jan 2020 15:49:39 -0500 Received: from localhost ([217.87.199.239]) by mrelayeu.kundenserver.de (mreue108 [212.227.15.145]) with ESMTPSA (Nemesis) id 1MCbR7-1ijW8R1vsp-009kfi for ; Fri, 17 Jan 2020 21:49:36 +0100 Date: Fri, 17 Jan 2020 20:49:33 +0100 From: Tobias Stoeckmann To: bug-sed@gnu.org Subject: [PATCH] sed: handle very long execution lines Message-ID: <20200117194933.ribsxwlyuqrr7kft@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Provags-ID: V03:K1:TCNC18H3Rc3vdBUYVCds/Ufg5fv/6WCbG/FqC7aHPA50F1TP8rO XbJ0SePxNMn/T0myBGX8Y90hbLUpuL8JPrw1KxRv2Sbg2l0yiNeQnk/1RlLcibIDdl9wKBy VtEPeUeNuGjOP26N6UQMJUfXSGec3F0qocYexhKVLwXgAjJmD2Er6Zate/zvrAVPkqWMsh7 h8OQvLANrHmGjqldh7AGg== X-UI-Out-Filterresults: notjunk:1;V03:K0:Yz0lamHrrO0=:k5UCcPHr4Gxf6ELXyGawP0 yii4I59aqbKbxMCwfdJhqK+CypIoMQSnMk/v2ExA/yJidn5dwKhdhhKfDgvQKXTimmstWv73Q mOm/JoJRjRDnUIFMRpjeyfYSj8vecoOD4kciKlJj/yboz9LhxKW3LWIn8PYXp0OTZeeDl34UJ GKnqEU6NHNx3g1invuxp3k4875CI1ao6ziXXVpdzyuLE2jRiF/n8ql+W+em9PkBjRki70sFai 19XL/Af0NmU3DwoRJdUDL5N7m5mi+9jhbdWbfWgi1oD1Gs703FOCTbrrfnhqRgKEbyUuRaw5x LjbdrybUNktpDELPF/bU8TsJSOGB+X/+wxVGv7YSjLX9w5gYiBczPRgFANk1qWAMSP5jh5ZBI mz40JTq50aV0n9EQmOLrktVuQRJfRN8zPAudNF/KOPAuwDwLWxS9adm+TtOGQU877Npc4Bhdt OQYrNYSuDDI0jzBiNiJyLsjLao3qwqA3j+YIQS0A5XZs8xTdLs7uks4/ecEX3ZRXo5oRuYDG1 WBPDQ+3S93LKrKk4pE9yBrPNmdN8Pla8kNez+MjFQe3y+I2lVw1otJZgew6WaZMIkqkEKEcOh gCauqrzb8MC9rfRfw4pB92tHRQbE81YfM+9twsgfejQ7uEcK0WsopotNWnJJ0F9Z6HnGFoxLR o0Ws9yHESMeSSCDzwCgdpOyiswEQ8mT4THEsPUGk6Jd+DuiZxeUFy8kVqjdUM7yghlLHcYhTp 7iQJ3oP7E5BO3o9bU1mV9TgjMxwazE9s6Q9qYqxtSaw5CDi9XF3CJcrepin5t1WrQ/Zeu0w+/ pkqklMeP85Rnh52wRwr7qFSyiP831d3uXXiOblYSWEaHOCgLvPIYBcCtQn5qOR4+X9/HVhNrV 0yXB0/CC9F1szhuxes+VUxQvY4hi04josuXU36ncs= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 217.72.192.75 X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) If sed is called with an excessively long execution line, then it is prone to an out of boundary memory access. The problem is that the length of the execution line, which is a size_t, is temporarily stored in an int. This means that on systems which have a 64 bit size_t and a 32 bit int (e.g. linux amd64) an execution line which exceeds 2 GB will overflow int. If it is just slightly larger than 2 GB, the negative int value is used as an array index to finish the execution line string with '\0' which therefore triggers the out of boundary access. This problem is probably never triggered in reality, but can be provoked like this (given that 'e' support is compiled in): $ dd if=/dev/zero bs=1M count=2049 | tr '\0' 'e' > e-command.txt $ sed -f e-command.txt /etc/fstab Segmentation fault (core dumped) $ _ While at it, I also adjusted another int/size_t conversion, even though it is a purely cosmetical change, because it can never be larger than 4096. Signed-off-by: Tobias Stoeckmann --- sed/execute.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sed/execute.c b/sed/execute.c index c5f07cc..8f43f2e 100644 --- a/sed/execute.c +++ b/sed/execute.c @@ -1347,7 +1347,7 @@ execute_program (struct vector *vec, struct input *input) panic (_("`e' command not supported")); #else FILE *pipe_fp; - int cmd_length = cur_cmd->x.cmd_txt.text_length; + size_t cmd_length = cur_cmd->x.cmd_txt.text_length; line_reset (&s_accum, NULL); if (!cmd_length) @@ -1367,7 +1367,7 @@ execute_program (struct vector *vec, struct input *input) { char buf[4096]; - int n; + size_t n; while (!feof (pipe_fp)) if ((n = fread (buf, sizeof (char), 4096, pipe_fp)) > 0) { -- 2.25.0 From debbugs-submit-bounces@debbugs.gnu.org Fri Jan 17 21:27:41 2020 Received: (at 39165) by debbugs.gnu.org; 18 Jan 2020 02:27:41 +0000 Received: from localhost ([127.0.0.1]:40361 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1isdps-00062Y-VO for submit@debbugs.gnu.org; Fri, 17 Jan 2020 21:27:41 -0500 Received: from mail-wr1-f41.google.com ([209.85.221.41]:35349) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1isdpq-00062K-DB for 39165@debbugs.gnu.org; Fri, 17 Jan 2020 21:27:39 -0500 Received: by mail-wr1-f41.google.com with SMTP id g17so24412468wro.2 for <39165@debbugs.gnu.org>; Fri, 17 Jan 2020 18:27:38 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FIAR9B8+fTtK3baj3hoFQsnkb2F0c1Od793w3UPwxu0=; b=XdCnUQqAVDC+jxnvFAlp3wvhLe39wr+KUcIQ6fFTF8T0R/aer5afUuXskUamK1r2bl W4cR0KkvOs6KfZM96t2hIm1WYVR4DTJ3rWAHLLcdpxzdxM8UzkUvfrM1r724YJpxuxjO xM9GIbC54dz3DJgzv1TN9ciMB4Lsc7nqrZmr8kNvKY0KtK4LqUMxoG/iXQ/4fYwkCx48 6fOKH/IL/wmBso67JfeTG+se4ZmEz0w49gfDDS3ola04JGDt81Ctj0CgAHGmJdZeHptK gstQCtOSrwlh1onyUJGTxf7WeNYhIad+Bhrm35uFpT/WWfrK+3ym6nOYIgFXrsgZeBc4 UNhw== X-Gm-Message-State: APjAAAVrDIGAeRYrlbca/i7XxhRjLek3Ji/JinhxlPwFMzOgmP5h1QZu 4NbaBg/oEPVL09vi+JGVpTa1sV+aElSIyaLUEOM= X-Google-Smtp-Source: APXvYqyTADrnzkXFKLv46xALO1YLEh1qeYBSVOVKsE7Wb5EOn0anD+ABYzPo8u/6HRuHi4/Wox4a46rOsRZCYumLjfo= X-Received: by 2002:a5d:46d0:: with SMTP id g16mr5955114wrs.287.1579314452594; Fri, 17 Jan 2020 18:27:32 -0800 (PST) MIME-Version: 1.0 References: <20200117194933.ribsxwlyuqrr7kft@localhost> In-Reply-To: <20200117194933.ribsxwlyuqrr7kft@localhost> From: Jim Meyering Date: Fri, 17 Jan 2020 18:27:20 -0800 Message-ID: Subject: Re: bug#39165: [PATCH] sed: handle very long execution lines To: Tobias Stoeckmann Content-Type: multipart/mixed; boundary="000000000000efe6cc059c60ccab" X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: 39165 Cc: 39165@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) --000000000000efe6cc059c60ccab Content-Type: text/plain; charset="UTF-8" On Fri, Jan 17, 2020 at 1:11 PM Tobias Stoeckmann wrote: > If sed is called with an excessively long execution line, then it is > prone to an out of boundary memory access. ... Good find and patch. Thank you! I've adjusted your commit log slightly. The "tiny change" note indicates that your diff is small enough that you do not have to assign copyright. I have also made minor wording changes, added the standard ChangeLog-style filename (function) lines and added the obligatory bug-fix reference in NEWS. We could add a test for this and even label it "expensive" or "very-expensive", but so far I don't think it's worthwhile. Will push the attached tomorrow. --000000000000efe6cc059c60ccab Content-Type: application/octet-stream; name="sed-2G-execute-line-segv.diff" Content-Disposition: attachment; filename="sed-2G-execute-line-segv.diff" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_k5iz143q0 RnJvbSA1YWYwNzk1ODM4ZTRiZWQ2M2ZjZjlkYTQ3Mzk5NTQ2MTUwYzkyMzJmIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBUb2JpYXMgU3RvZWNrbWFubiA8dG9iaWFzQHN0b2Vja21hbm4u b3JnPgpEYXRlOiBGcmksIDE3IEphbiAyMDIwIDIwOjQ5OjMzICswMTAwClN1YmplY3Q6IFtQQVRD SF0gc2VkOiBoYW5kbGUgdmVyeSBsb25nIGV4ZWN1dGlvbiBsaW5lcyAodGlueSBjaGFuZ2UpCgpJ ZiBzZWQgaXMgY2FsbGVkIHdpdGggYW4gZXhjZXNzaXZlbHkgbG9uZyBleGVjdXRpb24gbGluZSwg dGhlbiBpdCBpcwpwcm9uZSB0byBhbiBvdXQgb2YgYm91bmRzIG1lbW9yeSBhY2Nlc3MuCgpUaGUg cHJvYmxlbSBpcyB0aGF0IHRoZSBsZW5ndGggb2YgdGhlIGV4ZWN1dGlvbiBsaW5lLCB3aGljaCBp cyBhCnNpemVfdCwgaXMgdGVtcG9yYXJpbHkgc3RvcmVkIGluIGFuIGludC4gVGhpcyBtZWFucyB0 aGF0IG9uIHN5c3RlbXMKd2hpY2ggaGF2ZSBhIDY0IGJpdCBzaXplX3QgYW5kIGEgMzIgYml0IGlu dCAoZS5nLiBsaW51eCBhbWQ2NCkgYW4KZXhlY3V0aW9uIGxpbmUgd2hpY2ggZXhjZWVkcyAyIEdC IHdpbGwgb3ZlcmZsb3cgaW50LiBJZiBpdCBpcyBqdXN0CnNsaWdodGx5IGxhcmdlciB0aGFuIDIg R0IsIHRoZSBuZWdhdGl2ZSBpbnQgdmFsdWUgaXMgdXNlZCBhcyBhbgphcnJheSBpbmRleCB0byBm aW5pc2ggdGhlIGV4ZWN1dGlvbiBsaW5lIHN0cmluZyB3aXRoICdcMCcgd2hpY2gKdGhlcmVmb3Jl IHRyaWdnZXJzIHRoZSBvdXQgb2YgYm91bmRzIGFjY2Vzcy4KClRoaXMgcHJvYmxlbSBpcyBwcm9i YWJseSBuZXZlciB0cmlnZ2VyZWQgaW4gcmVhbGl0eSwgYnV0IGNhbiBiZQpwcm92b2tlZCBsaWtl IHRoaXMgKGdpdmVuIHRoYXQgJ2UnIHN1cHBvcnQgaXMgY29tcGlsZWQgaW4pOgoKJCBkZCBpZj0v ZGV2L3plcm8gYnM9MU0gY291bnQ9MjA0OSB8IHRyICdcMCcgZSA+IGUtY29tbWFuZC50eHQKJCBz ZWQgLWYgZS1jb21tYW5kLnR4dCAvZXRjL2ZzdGFiClNlZ21lbnRhdGlvbiBmYXVsdCAoY29yZSBk dW1wZWQpCgpBbHNvIGFkanVzdCBhbm90aGVyIGludC9zaXplX3QgY29udmVyc2lvbiwgZXZlbiB0 aG91Z2ggaXQgaXMgYQpwdXJlbHkgY29zbWV0aWMgY2hhbmdlLCBiZWNhdXNlIGl0IGNhbiBuZXZl ciBiZSBsYXJnZXIgdGhhbiA0MDk2LgoKKiBzZWQvZXhlY3V0ZS5jIChleGVjdXRlX3Byb2dyYW0p IFtjYXNlICdlJ106IERlY2xhcmUgY21kX2xlbmd0aAp0byBiZSBvZiB0eXBlIHNpemVfdCwgbm90 IGludC4gIExpa2V3aXNlIGZvciAibiIganVzdCBiZWxvdy4KKiBORVdTIChCdWcgZml4ZXMpOiBN ZW50aW9uIGl0LgpUaGlzIGFkZHJlc3NlcyBodHRwczovL2J1Z3MuZ251Lm9yZy8zOTE2NQotLS0K IE5FV1MgICAgICAgICAgfCA1ICsrKysrCiBzZWQvZXhlY3V0ZS5jIHwgNCArKy0tCiAyIGZpbGVz IGNoYW5nZWQsIDcgaW5zZXJ0aW9ucygrKSwgMiBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9O RVdTIGIvTkVXUwppbmRleCAzNTQwMjgyLi5mZTljYTkxIDEwMDY0NAotLS0gYS9ORVdTCisrKyBi L05FV1MKQEAgLTIsNiArMiwxMSBAQCBHTlUgc2VkIE5FV1MgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAtKi0gb3V0bGluZSAtKi0KCiAqIE5vdGV3b3J0aHkgY2hhbmdlcyBpbiBy ZWxlYXNlID8uPyAoPz8/Py0/Py0/PykgWz9dCgorKiogQnVnIGZpeGVzCisKKyAgYSBwcm9ncmFt IHdpdGggYW4gZXhlY3V0aW9uIGxpbmUgbG9uZ2VyIHRoYW4gMkdCIGNhbiBubyBsb25nZXIgdHJp Z2dlcgorICBhbiBvdXQtb2YtYm91bmRzIG1lbW9yeSB3cml0ZS4KKwoKICogTm90ZXdvcnRoeSBj aGFuZ2VzIGluIHJlbGVhc2UgNC44ICgyMDIwLTAxLTE0KSBbc3RhYmxlXQoKZGlmZiAtLWdpdCBh L3NlZC9leGVjdXRlLmMgYi9zZWQvZXhlY3V0ZS5jCmluZGV4IGM1ZjA3Y2MuLjhmNDNmMmUgMTAw NjQ0Ci0tLSBhL3NlZC9leGVjdXRlLmMKKysrIGIvc2VkL2V4ZWN1dGUuYwpAQCAtMTM0Nyw3ICsx MzQ3LDcgQEAgZXhlY3V0ZV9wcm9ncmFtIChzdHJ1Y3QgdmVjdG9yICp2ZWMsIHN0cnVjdCBpbnB1 dCAqaW5wdXQpCiAgICAgICAgICAgICAgIHBhbmljIChfKCJgZScgY29tbWFuZCBub3Qgc3VwcG9y dGVkIikpOwogI2Vsc2UKICAgICAgICAgICAgICAgRklMRSAqcGlwZV9mcDsKLSAgICAgICAgICAg ICAgaW50IGNtZF9sZW5ndGggPSBjdXJfY21kLT54LmNtZF90eHQudGV4dF9sZW5ndGg7CisgICAg ICAgICAgICAgIHNpemVfdCBjbWRfbGVuZ3RoID0gY3VyX2NtZC0+eC5jbWRfdHh0LnRleHRfbGVu Z3RoOwogICAgICAgICAgICAgICBsaW5lX3Jlc2V0ICgmc19hY2N1bSwgTlVMTCk7CgogICAgICAg ICAgICAgICBpZiAoIWNtZF9sZW5ndGgpCkBAIC0xMzY3LDcgKzEzNjcsNyBAQCBleGVjdXRlX3By b2dyYW0gKHN0cnVjdCB2ZWN0b3IgKnZlYywgc3RydWN0IGlucHV0ICppbnB1dCkKCiAgICAgICAg ICAgICAgIHsKICAgICAgICAgICAgICAgICBjaGFyIGJ1Zls0MDk2XTsKLSAgICAgICAgICAgICAg ICBpbnQgbjsKKyAgICAgICAgICAgICAgICBzaXplX3QgbjsKICAgICAgICAgICAgICAgICB3aGls ZSAoIWZlb2YgKHBpcGVfZnApKQogICAgICAgICAgICAgICAgICAgaWYgKChuID0gZnJlYWQgKGJ1 Ziwgc2l6ZW9mIChjaGFyKSwgNDA5NiwgcGlwZV9mcCkpID4gMCkKICAgICAgICAgICAgICAgICAg ICAgewotLSAKMi4yNS4wLnJjMS4xOS5nMDQyZWQzZTA0OAoK --000000000000efe6cc059c60ccab--