GNU bug report logs - #7992
cut segmentation fault with unbounded ranges

Previous Next

Package: coreutils;

Reported by: Paul Marinescu <paul.marinescu <at> imperial.ac.uk>

Date: Sun, 6 Feb 2011 18:27:02 UTC

Severity: normal

Done: Jim Meyering <jim <at> meyering.net>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 7992 in the body.
You can then email your comments to 7992 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to owner <at> debbugs.gnu.org, bug-coreutils <at> gnu.org:
bug#7992; Package coreutils. (Sun, 06 Feb 2011 18:27:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Paul Marinescu <paul.marinescu <at> imperial.ac.uk>:
New bug report received and forwarded. Copy sent to bug-coreutils <at> gnu.org. (Sun, 06 Feb 2011 18:27:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Paul Marinescu <paul.marinescu <at> imperial.ac.uk>
To: bug-coreutils <at> gnu.org
Subject: cut segmentation fault with unbounded ranges
Date: Sun, 06 Feb 2011 16:15:30 +0000

In coreutils 8.9 (latest), the following commands trigger an invalid
memory access.

cut -c1234567890- --output-d=: foo
cut -f1234567890- --output-d=: foo
cut -b1234567890- --output-d=: foo

The number 1234567890 is just a random number 'big enough' to make the
invalid access generate a segmentation fault but the invalid access
happens for values as low as 8 (valgrind)

The problem is that ranges going to end of line (i.e., 'x-') are not
taken into account when calculating the size of the printable_field
vector, but their lower bound is used as an index on line 525:

  if (output_delimiter_specified
      && !complement
      && eol_range_start && !is_printable_field (eol_range_start))


Paul
Information forwarded to owner <at> debbugs.gnu.org, bug-coreutils <at> gnu.org:
bug#7992; Package coreutils. (Mon, 07 Feb 2011 07:43:01 GMT) Full text and rfc822 format available.

Message #8 received at 7992 <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Paul Marinescu <paul.marinescu <at> imperial.ac.uk>
Cc: 7992 <at> debbugs.gnu.org
Subject: Re: bug#7992: cut segmentation fault with unbounded ranges
Date: Mon, 07 Feb 2011 08:50:59 +0100

Paul Marinescu wrote:
> In coreutils 8.9 (latest), the following commands trigger an invalid
> memory access.
>
> cut -c1234567890- --output-d=: foo
> cut -f1234567890- --output-d=: foo
> cut -b1234567890- --output-d=: foo
>
> The number 1234567890 is just a random number 'big enough' to make the
> invalid access generate a segmentation fault but the invalid access
> happens for values as low as 8 (valgrind)
>
> The problem is that ranges going to end of line (i.e., 'x-') are not
> taken into account when calculating the size of the printable_field
> vector, but their lower bound is used as an index on line 525:
>
>   if (output_delimiter_specified
>       && !complement
>       && eol_range_start && !is_printable_field (eol_range_start))

Thanks a lot for the report.
Here's a fix:

From 43be5f4911f252ac298ac19865487f543c12db02 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering <at> redhat.com>
Date: Mon, 7 Feb 2011 08:29:33 +0100
Subject: [PATCH] cut: don't segfault for large unbounded range

* src/cut.c (set_fields): When computing the maximum range endpoint,
take into consideration the start of any unbounded range, like "999-".
* NEWS (Bug fixes): Mention it.
* tests/misc/cut (big-unbounded-b,c,f): Add tests.
Reported by Paul Marinescu in http://debbugs.gnu.org/7993
The bug was introduced on 2004-12-04 via commit 7380cf79.
---
 NEWS           |    6 ++++++
 src/cut.c      |    2 ++
 tests/misc/cut |    4 ++++
 3 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/NEWS b/NEWS
index 9c5a5a8..a367d8d 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,12 @@ GNU coreutils NEWS                                    -*- outline -*-

 * Noteworthy changes in release ?.? (????-??-??) [?]

+** Bug fixes
+
+  cut could segfault when invoked with a user-specified output
+  delimiter and an unbounded range like "-f1234567890-".
+  [bug introduced in coreutils-5.3.0]
+

 * Noteworthy changes in release 8.10 (2011-02-04) [stable]

diff --git a/src/cut.c b/src/cut.c
index 3f8e3e6..e2fe851 100644
--- a/src/cut.c
+++ b/src/cut.c
@@ -496,6 +496,8 @@ set_fields (const char *fieldstr)
       if (rp[i].hi > max_range_endpoint)
         max_range_endpoint = rp[i].hi;
     }
+  if (max_range_endpoint < eol_range_start)
+    max_range_endpoint = eol_range_start;

   /* Allocate an array large enough so that it may be indexed by
      the field numbers corresponding to all finite ranges
diff --git a/tests/misc/cut b/tests/misc/cut
index 4353994..c905ba9 100755
--- a/tests/misc/cut
+++ b/tests/misc/cut
@@ -150,6 +150,10 @@ my @Tests =
    {ERR=>$no_endpoint}],
   ['inval5', '-f', '1-,-', {IN=>''}, {OUT=>''}, {EXIT=>1}, {ERR=>$no_endpoint}],
   ['inval6', '-f', '-1,-', {IN=>''}, {OUT=>''}, {EXIT=>1}, {ERR=>$no_endpoint}],
+  # This would evoke a segfault from 5.3.0..6.10
+  ['big-unbounded-b', '--output-d=:', '-b1234567890-', {IN=>''}, {OUT=>''}],
+  ['big-unbounded-c', '--output-d=:', '-c1234567890-', {IN=>''}, {OUT=>''}],
+  ['big-unbounded-f', '--output-d=:', '-f1234567890-', {IN=>''}, {OUT=>''}],
  );

 @Tests = triple_test \@Tests;
--
1.7.4.2.g597a6
Reply sent to Jim Meyering <jim <at> meyering.net>:
You have taken responsibility. (Fri, 22 Jul 2011 21:55:01 GMT) Full text and rfc822 format available.
Notification sent to Paul Marinescu <paul.marinescu <at> imperial.ac.uk>:
bug acknowledged by developer. (Fri, 22 Jul 2011 21:55:02 GMT) Full text and rfc822 format available.

Message #13 received at 7992-done <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Paul Marinescu <paul.marinescu <at> imperial.ac.uk>
Cc: 7992-done <at> debbugs.gnu.org
Subject: Re: bug#7992: cut segmentation fault with unbounded ranges
Date: Fri, 22 Jul 2011 23:54:45 +0200

Jim Meyering wrote:
> Paul Marinescu wrote:
>> In coreutils 8.9 (latest), the following commands trigger an invalid
>> memory access.
>>
>> cut -c1234567890- --output-d=: foo
>> cut -f1234567890- --output-d=: foo
>> cut -b1234567890- --output-d=: foo
>>
>> The number 1234567890 is just a random number 'big enough' to make the
>> invalid access generate a segmentation fault but the invalid access
>> happens for values as low as 8 (valgrind)
>>
>> The problem is that ranges going to end of line (i.e., 'x-') are not
>> taken into account when calculating the size of the printable_field
>> vector, but their lower bound is used as an index on line 525:
>>
>>   if (output_delimiter_specified
>>       && !complement
>>       && eol_range_start && !is_printable_field (eol_range_start))
>
> Thanks a lot for the report.
> Here's a fix:
>
...
> Subject: [PATCH] cut: don't segfault for large unbounded range
>
> * src/cut.c (set_fields): When computing the maximum range endpoint,
> take into consideration the start of any unbounded range, like "999-".
> * NEWS (Bug fixes): Mention it.
> * tests/misc/cut (big-unbounded-b,c,f): Add tests.
> Reported by Paul Marinescu in http://debbugs.gnu.org/7993
> The bug was introduced on 2004-12-04 via commit 7380cf79.
...
>  * Noteworthy changes in release ?.? (????-??-??) [?]
>
> +** Bug fixes
> +
> +  cut could segfault when invoked with a user-specified output
> +  delimiter and an unbounded range like "-f1234567890-".
> +  [bug introduced in coreutils-5.3.0]
> +

Fixed, so closing.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 20 Aug 2011 11:24:06 GMT) Full text and rfc822 format available.
This bug report was last modified 13 years and 308 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.