From unknown Sat Jun 21 10:38:01 2025 X-Loop: help-debbugs@gnu.org Subject: bug#7992: cut segmentation fault with unbounded ranges Resent-From: Paul Marinescu Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-coreutils@gnu.org Resent-Date: Sun, 06 Feb 2011 18:27:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 7992 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 7992@debbugs.gnu.org X-Debbugs-Original-To: bug-coreutils@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.129701676412121 (code B ref -1); Sun, 06 Feb 2011 18:27:02 +0000 Received: (at submit) by debbugs.gnu.org; 6 Feb 2011 18:26:04 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Pm9JD-00039Q-5a for submit@debbugs.gnu.org; Sun, 06 Feb 2011 13:26:03 -0500 Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Pm78e-0008SP-K7 for submit@debbugs.gnu.org; Sun, 06 Feb 2011 11:07:01 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Pm7Gy-0001I6-Bc for submit@debbugs.gnu.org; Sun, 06 Feb 2011 11:15:37 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED autolearn=unavailable version=3.3.1 Received: from lists.gnu.org ([199.232.76.165]:60943) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Pm7Gy-0001I2-9g for submit@debbugs.gnu.org; Sun, 06 Feb 2011 11:15:36 -0500 Received: from [140.186.70.92] (port=42518 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Pm7Gx-0008Qy-BD for bug-coreutils@gnu.org; Sun, 06 Feb 2011 11:15:36 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Pm7Gw-0001Hq-7l for bug-coreutils@gnu.org; Sun, 06 Feb 2011 11:15:35 -0500 Received: from smtp1.cc.ic.ac.uk ([155.198.5.155]:34510) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Pm7Gw-0001Hk-3L for bug-coreutils@gnu.org; Sun, 06 Feb 2011 11:15:34 -0500 Received: from indomitable.doc.ic.ac.uk ([146.169.7.18]) by smtp1.cc.ic.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1Pm7Gs-0004uO-Hy for bug-coreutils@gnu.org; Sun, 06 Feb 2011 16:15:30 +0000 Message-ID: <4D4EC922.2020200@imperial.ac.uk> Date: Sun, 06 Feb 2011 16:15:30 +0000 From: Paul Marinescu User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12) Gecko/20100826 Thunderbird/3.0.7 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-IC-MsgID: 1Pm7Gs-0004uO-Hy X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 155.198.5.155 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 199.232.76.165 X-Spam-Score: -6.0 (------) X-Mailman-Approved-At: Sun, 06 Feb 2011 13:26:02 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.0 (------) In coreutils 8.9 (latest), the following commands trigger an invalid memory access. cut -c1234567890- --output-d=: foo cut -f1234567890- --output-d=: foo cut -b1234567890- --output-d=: foo The number 1234567890 is just a random number 'big enough' to make the invalid access generate a segmentation fault but the invalid access happens for values as low as 8 (valgrind) The problem is that ranges going to end of line (i.e., 'x-') are not taken into account when calculating the size of the printable_field vector, but their lower bound is used as an index on line 525: if (output_delimiter_specified && !complement && eol_range_start && !is_printable_field (eol_range_start)) Paul From unknown Sat Jun 21 10:38:01 2025 X-Loop: help-debbugs@gnu.org Subject: bug#7992: cut segmentation fault with unbounded ranges Resent-From: Jim Meyering Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-coreutils@gnu.org Resent-Date: Mon, 07 Feb 2011 07:43:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 7992 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Paul Marinescu Cc: 7992@debbugs.gnu.org Received: via spool by 7992-submit@debbugs.gnu.org id=B7992.129706454416901 (code B ref 7992); Mon, 07 Feb 2011 07:43:01 +0000 Received: (at 7992) by debbugs.gnu.org; 7 Feb 2011 07:42:24 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PmLjr-0004OY-Mn for submit@debbugs.gnu.org; Mon, 07 Feb 2011 02:42:24 -0500 Received: from mx.meyering.net ([82.230.74.64]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PmLjp-0004OK-Tw for 7992@debbugs.gnu.org; Mon, 07 Feb 2011 02:42:22 -0500 Received: by rho.meyering.net (Acme Bit-Twister, from userid 1000) id D2C776024C; Mon, 7 Feb 2011 08:50:59 +0100 (CET) From: Jim Meyering In-Reply-To: <4D4EC922.2020200@imperial.ac.uk> (Paul Marinescu's message of "Sun, 06 Feb 2011 16:15:30 +0000") References: <4D4EC922.2020200@imperial.ac.uk> Date: Mon, 07 Feb 2011 08:50:59 +0100 Message-ID: <878vxsz3j0.fsf@meyering.net> Lines: 87 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -5.8 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -5.8 (-----) Paul Marinescu wrote: > In coreutils 8.9 (latest), the following commands trigger an invalid > memory access. > > cut -c1234567890- --output-d=: foo > cut -f1234567890- --output-d=: foo > cut -b1234567890- --output-d=: foo > > The number 1234567890 is just a random number 'big enough' to make the > invalid access generate a segmentation fault but the invalid access > happens for values as low as 8 (valgrind) > > The problem is that ranges going to end of line (i.e., 'x-') are not > taken into account when calculating the size of the printable_field > vector, but their lower bound is used as an index on line 525: > > if (output_delimiter_specified > && !complement > && eol_range_start && !is_printable_field (eol_range_start)) Thanks a lot for the report. Here's a fix: >From 43be5f4911f252ac298ac19865487f543c12db02 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Mon, 7 Feb 2011 08:29:33 +0100 Subject: [PATCH] cut: don't segfault for large unbounded range * src/cut.c (set_fields): When computing the maximum range endpoint, take into consideration the start of any unbounded range, like "999-". * NEWS (Bug fixes): Mention it. * tests/misc/cut (big-unbounded-b,c,f): Add tests. Reported by Paul Marinescu in http://debbugs.gnu.org/7993 The bug was introduced on 2004-12-04 via commit 7380cf79. --- NEWS | 6 ++++++ src/cut.c | 2 ++ tests/misc/cut | 4 ++++ 3 files changed, 12 insertions(+), 0 deletions(-) diff --git a/NEWS b/NEWS index 9c5a5a8..a367d8d 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,12 @@ GNU coreutils NEWS -*- outline -*- * Noteworthy changes in release ?.? (????-??-??) [?] +** Bug fixes + + cut could segfault when invoked with a user-specified output + delimiter and an unbounded range like "-f1234567890-". + [bug introduced in coreutils-5.3.0] + * Noteworthy changes in release 8.10 (2011-02-04) [stable] diff --git a/src/cut.c b/src/cut.c index 3f8e3e6..e2fe851 100644 --- a/src/cut.c +++ b/src/cut.c @@ -496,6 +496,8 @@ set_fields (const char *fieldstr) if (rp[i].hi > max_range_endpoint) max_range_endpoint = rp[i].hi; } + if (max_range_endpoint < eol_range_start) + max_range_endpoint = eol_range_start; /* Allocate an array large enough so that it may be indexed by the field numbers corresponding to all finite ranges diff --git a/tests/misc/cut b/tests/misc/cut index 4353994..c905ba9 100755 --- a/tests/misc/cut +++ b/tests/misc/cut @@ -150,6 +150,10 @@ my @Tests = {ERR=>$no_endpoint}], ['inval5', '-f', '1-,-', {IN=>''}, {OUT=>''}, {EXIT=>1}, {ERR=>$no_endpoint}], ['inval6', '-f', '-1,-', {IN=>''}, {OUT=>''}, {EXIT=>1}, {ERR=>$no_endpoint}], + # This would evoke a segfault from 5.3.0..6.10 + ['big-unbounded-b', '--output-d=:', '-b1234567890-', {IN=>''}, {OUT=>''}], + ['big-unbounded-c', '--output-d=:', '-c1234567890-', {IN=>''}, {OUT=>''}], + ['big-unbounded-f', '--output-d=:', '-f1234567890-', {IN=>''}, {OUT=>''}], ); @Tests = triple_test \@Tests; -- 1.7.4.2.g597a6 From unknown Sat Jun 21 10:38:01 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Paul Marinescu Subject: bug#7992: closed (Re: bug#7992: cut segmentation fault with unbounded ranges) Message-ID: References: <87ei1i6kwq.fsf@rho.meyering.net> <4D4EC922.2020200@imperial.ac.uk> X-Gnu-PR-Message: they-closed 7992 X-Gnu-PR-Package: coreutils Reply-To: 7992@debbugs.gnu.org Date: Fri, 22 Jul 2011 21:55:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1311371702-22497-1" This is a multi-part message in MIME format... ------------=_1311371702-22497-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #7992: cut segmentation fault with unbounded ranges which was filed against the coreutils package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 7992@debbugs.gnu.org. --=20 7992: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D7992 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1311371702-22497-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 7992-done) by debbugs.gnu.org; 22 Jul 2011 21:54:54 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QkNgL-0005qZ-Tg for submit@debbugs.gnu.org; Fri, 22 Jul 2011 17:54:54 -0400 Received: from mx.meyering.net ([82.230.74.64]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QkNgJ-0005qO-Lf for 7992-done@debbugs.gnu.org; Fri, 22 Jul 2011 17:54:52 -0400 Received: from rho.meyering.net (localhost.localdomain [127.0.0.1]) by rho.meyering.net (Acme Bit-Twister) with ESMTP id F1F076006C; Fri, 22 Jul 2011 23:54:45 +0200 (CEST) From: Jim Meyering To: Paul Marinescu Subject: Re: bug#7992: cut segmentation fault with unbounded ranges In-Reply-To: <878vxsz3j0.fsf@meyering.net> (Jim Meyering's message of "Mon, 07 Feb 2011 08:50:59 +0100") References: <4D4EC922.2020200@imperial.ac.uk> <878vxsz3j0.fsf@meyering.net> Date: Fri, 22 Jul 2011 23:54:45 +0200 Message-ID: <87ei1i6kwq.fsf@rho.meyering.net> Lines: 44 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -6.1 (------) X-Debbugs-Envelope-To: 7992-done Cc: 7992-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.1 (------) Jim Meyering wrote: > Paul Marinescu wrote: >> In coreutils 8.9 (latest), the following commands trigger an invalid >> memory access. >> >> cut -c1234567890- --output-d=: foo >> cut -f1234567890- --output-d=: foo >> cut -b1234567890- --output-d=: foo >> >> The number 1234567890 is just a random number 'big enough' to make the >> invalid access generate a segmentation fault but the invalid access >> happens for values as low as 8 (valgrind) >> >> The problem is that ranges going to end of line (i.e., 'x-') are not >> taken into account when calculating the size of the printable_field >> vector, but their lower bound is used as an index on line 525: >> >> if (output_delimiter_specified >> && !complement >> && eol_range_start && !is_printable_field (eol_range_start)) > > Thanks a lot for the report. > Here's a fix: > ... > Subject: [PATCH] cut: don't segfault for large unbounded range > > * src/cut.c (set_fields): When computing the maximum range endpoint, > take into consideration the start of any unbounded range, like "999-". > * NEWS (Bug fixes): Mention it. > * tests/misc/cut (big-unbounded-b,c,f): Add tests. > Reported by Paul Marinescu in http://debbugs.gnu.org/7993 > The bug was introduced on 2004-12-04 via commit 7380cf79. ... > * Noteworthy changes in release ?.? (????-??-??) [?] > > +** Bug fixes > + > + cut could segfault when invoked with a user-specified output > + delimiter and an unbounded range like "-f1234567890-". > + [bug introduced in coreutils-5.3.0] > + Fixed, so closing. ------------=_1311371702-22497-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 6 Feb 2011 18:26:04 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Pm9JD-00039Q-5a for submit@debbugs.gnu.org; Sun, 06 Feb 2011 13:26:03 -0500 Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Pm78e-0008SP-K7 for submit@debbugs.gnu.org; Sun, 06 Feb 2011 11:07:01 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Pm7Gy-0001I6-Bc for submit@debbugs.gnu.org; Sun, 06 Feb 2011 11:15:37 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED autolearn=unavailable version=3.3.1 Received: from lists.gnu.org ([199.232.76.165]:60943) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Pm7Gy-0001I2-9g for submit@debbugs.gnu.org; Sun, 06 Feb 2011 11:15:36 -0500 Received: from [140.186.70.92] (port=42518 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Pm7Gx-0008Qy-BD for bug-coreutils@gnu.org; Sun, 06 Feb 2011 11:15:36 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Pm7Gw-0001Hq-7l for bug-coreutils@gnu.org; Sun, 06 Feb 2011 11:15:35 -0500 Received: from smtp1.cc.ic.ac.uk ([155.198.5.155]:34510) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Pm7Gw-0001Hk-3L for bug-coreutils@gnu.org; Sun, 06 Feb 2011 11:15:34 -0500 Received: from indomitable.doc.ic.ac.uk ([146.169.7.18]) by smtp1.cc.ic.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1Pm7Gs-0004uO-Hy for bug-coreutils@gnu.org; Sun, 06 Feb 2011 16:15:30 +0000 Message-ID: <4D4EC922.2020200@imperial.ac.uk> Date: Sun, 06 Feb 2011 16:15:30 +0000 From: Paul Marinescu User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12) Gecko/20100826 Thunderbird/3.0.7 MIME-Version: 1.0 To: bug-coreutils@gnu.org Subject: cut segmentation fault with unbounded ranges Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-IC-MsgID: 1Pm7Gs-0004uO-Hy X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 155.198.5.155 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 199.232.76.165 X-Spam-Score: -6.0 (------) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Sun, 06 Feb 2011 13:26:02 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.0 (------) In coreutils 8.9 (latest), the following commands trigger an invalid memory access. cut -c1234567890- --output-d=: foo cut -f1234567890- --output-d=: foo cut -b1234567890- --output-d=: foo The number 1234567890 is just a random number 'big enough' to make the invalid access generate a segmentation fault but the invalid access happens for values as low as 8 (valgrind) The problem is that ranges going to end of line (i.e., 'x-') are not taken into account when calculating the size of the printable_field vector, but their lower bound is used as an index on line 525: if (output_delimiter_specified && !complement && eol_range_start && !is_printable_field (eol_range_start)) Paul ------------=_1311371702-22497-1--