Re: Bug report: tac crash

[Jim Meyering]

Daniel Dunbar <address@hidden> wrote:
> The following crashes tac on my machine (6.10 and 6.11):
> --
> $ echo > x; tac -r x x
> Segmentation fault
> --
>
> The crash occurs in re_copy_regs and the error has to do with the code
> assuming regs->num_regs is initialized when it is not, in conjunction with
> the regs_allocated parameter. This results in the final loop scribbling -1 
> over
> varying and often large amounts of memory.
>
> It looks to me like the problem is re_copy_regs assuming the state of the
> re_pattern_buffer and the re_registers are in sync, but this doesn't hold when
> tac makes multiple re_search calls with the registers on the stack.

Hi Daniel,
Thanks for the report and analysis!
Here's the fix I expect to push once I've added a test.

>From 8449b56e600e77e6a76f80a6cb425b90e4251319 Mon Sep 17 00:00:00 2001
From: Jim Meyering <address@hidden>
Date: Mon, 5 May 2008 00:07:08 +0200
Subject: [PATCH] tac: avoid segfault for e.g., "echo > x; tac -r x x"

* src/tac.c (tac_seekable): Move local "regs" declaration out
to file scope, so its values aren't clobbered between calls.
* NEWS: Mention the bug fix.
Discovered by Cristian Cadar, Daniel Dunbar and Dawson Engler.

Signed-off-by: Jim Meyering <address@hidden>
---
 NEWS      |    3 +++
 src/tac.c |    2 +-
 2 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/NEWS b/NEWS
index 2343482..8027cf7 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,9 @@ GNU coreutils NEWS                                    -*- 
outline -*-
   Printing of such large-numbered, kernel-only (not in /etc/group) group-IDs
   was suppressed in 6.11 due to ignorance that they are useful.

+  tac: avoid segfault with --regex (-r) and multiple files, e.g.,
+  "echo > x; tac -r x x".  [bug present at least in textutils-1.8b, from 1992]
+
   uniq: avoid subtle field-skipping malfunction due to isblank misuse.
   In some locales on some systems, isblank(240) (aka &nbsp) is nonzero.
   On such systems, uniq --skip-fields=N would fail to skip the proper
diff --git a/src/tac.c b/src/tac.c
index 262bf87..e9ba10d 100644
--- a/src/tac.c
+++ b/src/tac.c
@@ -110,6 +110,7 @@ static size_t G_buffer_size;
 /* The compiled regular expression representing `separator'. */
 static struct re_pattern_buffer compiled_separator;
 static char compiled_separator_fastmap[UCHAR_MAX + 1];
+static struct re_registers regs;

 static struct option const longopts[] =
 {
@@ -212,7 +213,6 @@ tac_seekable (int input_fd, const char *file)
   char first_char = *separator;        /* Speed optimization, non-regexp. */
   char const *separator1 = separator + 1; /* Speed optimization, non-regexp. */
   size_t match_length1 = match_length - 1; /* Speed optimization, non-regexp. 
*/
-  struct re_registers regs;

   /* Find the size of the input file. */
   file_pos = lseek (input_fd, (off_t) 0, SEEK_END);
--
1.5.5.1.117.ga349