From debbugs-submit-bounces@debbugs.gnu.org Sun Feb 06 13:26:03 2011 Received: (at submit) by debbugs.gnu.org; 6 Feb 2011 18:26:04 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Pm9JD-00039Q-5a for submit@debbugs.gnu.org; Sun, 06 Feb 2011 13:26:03 -0500 Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Pm78e-0008SP-K7 for submit@debbugs.gnu.org; Sun, 06 Feb 2011 11:07:01 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Pm7Gy-0001I6-Bc for submit@debbugs.gnu.org; Sun, 06 Feb 2011 11:15:37 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED autolearn=unavailable version=3.3.1 Received: from lists.gnu.org ([199.232.76.165]:60943) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Pm7Gy-0001I2-9g for submit@debbugs.gnu.org; Sun, 06 Feb 2011 11:15:36 -0500 Received: from [140.186.70.92] (port=42518 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Pm7Gx-0008Qy-BD for bug-coreutils@gnu.org; Sun, 06 Feb 2011 11:15:36 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Pm7Gw-0001Hq-7l for bug-coreutils@gnu.org; Sun, 06 Feb 2011 11:15:35 -0500 Received: from smtp1.cc.ic.ac.uk ([155.198.5.155]:34510) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Pm7Gw-0001Hk-3L for bug-coreutils@gnu.org; Sun, 06 Feb 2011 11:15:34 -0500 Received: from indomitable.doc.ic.ac.uk ([146.169.7.18]) by smtp1.cc.ic.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1Pm7Gs-0004uO-Hy for bug-coreutils@gnu.org; Sun, 06 Feb 2011 16:15:30 +0000 Message-ID: <4D4EC922.2020200@imperial.ac.uk> Date: Sun, 06 Feb 2011 16:15:30 +0000 From: Paul Marinescu User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12) Gecko/20100826 Thunderbird/3.0.7 MIME-Version: 1.0 To: bug-coreutils@gnu.org Subject: cut segmentation fault with unbounded ranges Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-IC-MsgID: 1Pm7Gs-0004uO-Hy X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 155.198.5.155 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 199.232.76.165 X-Spam-Score: -6.0 (------) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Sun, 06 Feb 2011 13:26:02 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.0 (------) In coreutils 8.9 (latest), the following commands trigger an invalid memory access. cut -c1234567890- --output-d=: foo cut -f1234567890- --output-d=: foo cut -b1234567890- --output-d=: foo The number 1234567890 is just a random number 'big enough' to make the invalid access generate a segmentation fault but the invalid access happens for values as low as 8 (valgrind) The problem is that ranges going to end of line (i.e., 'x-') are not taken into account when calculating the size of the printable_field vector, but their lower bound is used as an index on line 525: if (output_delimiter_specified && !complement && eol_range_start && !is_printable_field (eol_range_start)) Paul From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 07 02:42:24 2011 Received: (at 7992) by debbugs.gnu.org; 7 Feb 2011 07:42:24 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PmLjr-0004OY-Mn for submit@debbugs.gnu.org; Mon, 07 Feb 2011 02:42:24 -0500 Received: from mx.meyering.net ([82.230.74.64]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PmLjp-0004OK-Tw for 7992@debbugs.gnu.org; Mon, 07 Feb 2011 02:42:22 -0500 Received: by rho.meyering.net (Acme Bit-Twister, from userid 1000) id D2C776024C; Mon, 7 Feb 2011 08:50:59 +0100 (CET) From: Jim Meyering To: Paul Marinescu Subject: Re: bug#7992: cut segmentation fault with unbounded ranges In-Reply-To: <4D4EC922.2020200@imperial.ac.uk> (Paul Marinescu's message of "Sun, 06 Feb 2011 16:15:30 +0000") References: <4D4EC922.2020200@imperial.ac.uk> Date: Mon, 07 Feb 2011 08:50:59 +0100 Message-ID: <878vxsz3j0.fsf@meyering.net> Lines: 87 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -5.8 (-----) X-Debbugs-Envelope-To: 7992 Cc: 7992@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -5.8 (-----) Paul Marinescu wrote: > In coreutils 8.9 (latest), the following commands trigger an invalid > memory access. > > cut -c1234567890- --output-d=: foo > cut -f1234567890- --output-d=: foo > cut -b1234567890- --output-d=: foo > > The number 1234567890 is just a random number 'big enough' to make the > invalid access generate a segmentation fault but the invalid access > happens for values as low as 8 (valgrind) > > The problem is that ranges going to end of line (i.e., 'x-') are not > taken into account when calculating the size of the printable_field > vector, but their lower bound is used as an index on line 525: > > if (output_delimiter_specified > && !complement > && eol_range_start && !is_printable_field (eol_range_start)) Thanks a lot for the report. Here's a fix: >From 43be5f4911f252ac298ac19865487f543c12db02 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Mon, 7 Feb 2011 08:29:33 +0100 Subject: [PATCH] cut: don't segfault for large unbounded range * src/cut.c (set_fields): When computing the maximum range endpoint, take into consideration the start of any unbounded range, like "999-". * NEWS (Bug fixes): Mention it. * tests/misc/cut (big-unbounded-b,c,f): Add tests. Reported by Paul Marinescu in http://debbugs.gnu.org/7993 The bug was introduced on 2004-12-04 via commit 7380cf79. --- NEWS | 6 ++++++ src/cut.c | 2 ++ tests/misc/cut | 4 ++++ 3 files changed, 12 insertions(+), 0 deletions(-) diff --git a/NEWS b/NEWS index 9c5a5a8..a367d8d 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,12 @@ GNU coreutils NEWS -*- outline -*- * Noteworthy changes in release ?.? (????-??-??) [?] +** Bug fixes + + cut could segfault when invoked with a user-specified output + delimiter and an unbounded range like "-f1234567890-". + [bug introduced in coreutils-5.3.0] + * Noteworthy changes in release 8.10 (2011-02-04) [stable] diff --git a/src/cut.c b/src/cut.c index 3f8e3e6..e2fe851 100644 --- a/src/cut.c +++ b/src/cut.c @@ -496,6 +496,8 @@ set_fields (const char *fieldstr) if (rp[i].hi > max_range_endpoint) max_range_endpoint = rp[i].hi; } + if (max_range_endpoint < eol_range_start) + max_range_endpoint = eol_range_start; /* Allocate an array large enough so that it may be indexed by the field numbers corresponding to all finite ranges diff --git a/tests/misc/cut b/tests/misc/cut index 4353994..c905ba9 100755 --- a/tests/misc/cut +++ b/tests/misc/cut @@ -150,6 +150,10 @@ my @Tests = {ERR=>$no_endpoint}], ['inval5', '-f', '1-,-', {IN=>''}, {OUT=>''}, {EXIT=>1}, {ERR=>$no_endpoint}], ['inval6', '-f', '-1,-', {IN=>''}, {OUT=>''}, {EXIT=>1}, {ERR=>$no_endpoint}], + # This would evoke a segfault from 5.3.0..6.10 + ['big-unbounded-b', '--output-d=:', '-b1234567890-', {IN=>''}, {OUT=>''}], + ['big-unbounded-c', '--output-d=:', '-c1234567890-', {IN=>''}, {OUT=>''}], + ['big-unbounded-f', '--output-d=:', '-f1234567890-', {IN=>''}, {OUT=>''}], ); @Tests = triple_test \@Tests; -- 1.7.4.2.g597a6 From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 22 17:54:54 2011 Received: (at 7992-done) by debbugs.gnu.org; 22 Jul 2011 21:54:54 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QkNgL-0005qZ-Tg for submit@debbugs.gnu.org; Fri, 22 Jul 2011 17:54:54 -0400 Received: from mx.meyering.net ([82.230.74.64]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QkNgJ-0005qO-Lf for 7992-done@debbugs.gnu.org; Fri, 22 Jul 2011 17:54:52 -0400 Received: from rho.meyering.net (localhost.localdomain [127.0.0.1]) by rho.meyering.net (Acme Bit-Twister) with ESMTP id F1F076006C; Fri, 22 Jul 2011 23:54:45 +0200 (CEST) From: Jim Meyering To: Paul Marinescu Subject: Re: bug#7992: cut segmentation fault with unbounded ranges In-Reply-To: <878vxsz3j0.fsf@meyering.net> (Jim Meyering's message of "Mon, 07 Feb 2011 08:50:59 +0100") References: <4D4EC922.2020200@imperial.ac.uk> <878vxsz3j0.fsf@meyering.net> Date: Fri, 22 Jul 2011 23:54:45 +0200 Message-ID: <87ei1i6kwq.fsf@rho.meyering.net> Lines: 44 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -6.1 (------) X-Debbugs-Envelope-To: 7992-done Cc: 7992-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.1 (------) Jim Meyering wrote: > Paul Marinescu wrote: >> In coreutils 8.9 (latest), the following commands trigger an invalid >> memory access. >> >> cut -c1234567890- --output-d=: foo >> cut -f1234567890- --output-d=: foo >> cut -b1234567890- --output-d=: foo >> >> The number 1234567890 is just a random number 'big enough' to make the >> invalid access generate a segmentation fault but the invalid access >> happens for values as low as 8 (valgrind) >> >> The problem is that ranges going to end of line (i.e., 'x-') are not >> taken into account when calculating the size of the printable_field >> vector, but their lower bound is used as an index on line 525: >> >> if (output_delimiter_specified >> && !complement >> && eol_range_start && !is_printable_field (eol_range_start)) > > Thanks a lot for the report. > Here's a fix: > ... > Subject: [PATCH] cut: don't segfault for large unbounded range > > * src/cut.c (set_fields): When computing the maximum range endpoint, > take into consideration the start of any unbounded range, like "999-". > * NEWS (Bug fixes): Mention it. > * tests/misc/cut (big-unbounded-b,c,f): Add tests. > Reported by Paul Marinescu in http://debbugs.gnu.org/7993 > The bug was introduced on 2004-12-04 via commit 7380cf79. ... > * Noteworthy changes in release ?.? (????-??-??) [?] > > +** Bug fixes > + > + cut could segfault when invoked with a user-specified output > + delimiter and an unbounded range like "-f1234567890-". > + [bug introduced in coreutils-5.3.0] > + Fixed, so closing. From unknown Fri Aug 15 03:57:06 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 20 Aug 2011 11:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator