[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug report: tac crash
From: |
Jim Meyering |
Subject: |
Re: Bug report: tac crash |
Date: |
Mon, 05 May 2008 00:28:02 +0200 |
Daniel Dunbar <address@hidden> wrote:
> The following crashes tac on my machine (6.10 and 6.11):
> --
> $ echo > x; tac -r x x
> Segmentation fault
> --
>
> The crash occurs in re_copy_regs and the error has to do with the code
> assuming regs->num_regs is initialized when it is not, in conjunction with
> the regs_allocated parameter. This results in the final loop scribbling -1
> over
> varying and often large amounts of memory.
>
> It looks to me like the problem is re_copy_regs assuming the state of the
> re_pattern_buffer and the re_registers are in sync, but this doesn't hold when
> tac makes multiple re_search calls with the registers on the stack.
Hi Daniel,
Thanks for the report and analysis!
Here's the fix I expect to push once I've added a test.
>From 8449b56e600e77e6a76f80a6cb425b90e4251319 Mon Sep 17 00:00:00 2001
From: Jim Meyering <address@hidden>
Date: Mon, 5 May 2008 00:07:08 +0200
Subject: [PATCH] tac: avoid segfault for e.g., "echo > x; tac -r x x"
* src/tac.c (tac_seekable): Move local "regs" declaration out
to file scope, so its values aren't clobbered between calls.
* NEWS: Mention the bug fix.
Discovered by Cristian Cadar, Daniel Dunbar and Dawson Engler.
Signed-off-by: Jim Meyering <address@hidden>
---
NEWS | 3 +++
src/tac.c | 2 +-
2 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/NEWS b/NEWS
index 2343482..8027cf7 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,9 @@ GNU coreutils NEWS -*-
outline -*-
Printing of such large-numbered, kernel-only (not in /etc/group) group-IDs
was suppressed in 6.11 due to ignorance that they are useful.
+ tac: avoid segfault with --regex (-r) and multiple files, e.g.,
+ "echo > x; tac -r x x". [bug present at least in textutils-1.8b, from 1992]
+
uniq: avoid subtle field-skipping malfunction due to isblank misuse.
In some locales on some systems, isblank(240) (aka  ) is nonzero.
On such systems, uniq --skip-fields=N would fail to skip the proper
diff --git a/src/tac.c b/src/tac.c
index 262bf87..e9ba10d 100644
--- a/src/tac.c
+++ b/src/tac.c
@@ -110,6 +110,7 @@ static size_t G_buffer_size;
/* The compiled regular expression representing `separator'. */
static struct re_pattern_buffer compiled_separator;
static char compiled_separator_fastmap[UCHAR_MAX + 1];
+static struct re_registers regs;
static struct option const longopts[] =
{
@@ -212,7 +213,6 @@ tac_seekable (int input_fd, const char *file)
char first_char = *separator; /* Speed optimization, non-regexp. */
char const *separator1 = separator + 1; /* Speed optimization, non-regexp. */
size_t match_length1 = match_length - 1; /* Speed optimization, non-regexp.
*/
- struct re_registers regs;
/* Find the size of the input file. */
file_pos = lseek (input_fd, (off_t) 0, SEEK_END);
--
1.5.5.1.117.ga349