[coreutils] [PATCH] csplit: avoid buffer overrun when writing more than

coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[coreutils] [PATCH] csplit: avoid buffer overrun when writing more than

From:	Jim Meyering
Subject:	[coreutils] [PATCH] csplit: avoid buffer overrun when writing more than 999 files
Date:	Wed, 10 Nov 2010 14:25:26 +0100

Here's a patch.

The included test is a little unusual.
Unlike most such tests, this one does not fail without the fix.
However, running it against a valgrind-wrapped does expose the bug.

Any suggestions for a better way (even O/S- or kernel-specific)
to test this would be most welcome.  While I'm inclined not
to run valgrind directly (I run it periodically on everything,
via wrappers), this is one possibility:

    seq 1000 | valgrind --error-exitcode=1 -- csplit - '/./' '{*}' || fail=1

But that would involve first ensuring that it's installed and usable.

>From 8a5043963e1412014403150e53d850e0242f14e7 Mon Sep 17 00:00:00 2001
From: Jim Meyering <address@hidden>
Date: Wed, 10 Nov 2010 13:53:38 +0100
Subject: [PATCH] csplit: avoid buffer overrun when writing more than 999 files

Without this fix, seq 1000 | csplit - /./ '{*}' would write
the NUL-terminated file name, xx1000, into a buffer of size 6.
* src/csplit.c (main): Use properly sized file name buffer.
* NEWS (Bug fixes): Mention it.
* tests/misc/csplit-1000: New test to trigger the bug.
* tests/Makefile.am (TESTS): Add misc/csplit-1000.
---
 NEWS                   |    4 ++++
 src/csplit.c           |    9 +++++----
 tests/Makefile.am      |    1 +
 tests/misc/csplit-1000 |   29 +++++++++++++++++++++++++++++
 4 files changed, 39 insertions(+), 4 deletions(-)
 create mode 100755 tests/misc/csplit-1000

diff --git a/NEWS b/NEWS
index 0cd6153..89ae5d6 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,10 @@ GNU coreutils NEWS                                    -*- 
outline -*-
   latent bug introduced in coreutils 8.1, and possibly a second latent
   bug going at least as far back as coreutils 5.97]

+  csplit no longer corrupts heap when writing more than 999 files.
+  Demonstrate with: seq 1000 | csplit - /./ '{*}'
+  [the bug was present in the initial implementation]
+
   tail -F once again notices changes in a currently unavailable
   remote directory [bug introduced in coreutils-7.5]

diff --git a/src/csplit.c b/src/csplit.c
index 40baba8..57543f0 100644
--- a/src/csplit.c
+++ b/src/csplit.c
@@ -1372,10 +1372,11 @@ main (int argc, char **argv)
       usage (EXIT_FAILURE);
     }

-  if (suffix)
-    filename_space = xmalloc (strlen (prefix) + max_out (suffix) + 2);
-  else
-    filename_space = xmalloc (strlen (prefix) + digits + 2);
+  unsigned int max_digit_string_len
+    = (suffix
+       ? max_out (suffix)
+       : MAX (INT_STRLEN_BOUND (unsigned int), digits));
+  filename_space = xmalloc (strlen (prefix) + max_digit_string_len + 1);

   set_input_file (argv[optind++]);

diff --git a/tests/Makefile.am b/tests/Makefile.am
index dd1c509..a3a30b6 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -172,6 +172,7 @@ TESTS =                                             \
   misc/chroot-fail                             \
   misc/comm                                    \
   misc/csplit                                  \
+  misc/csplit-1000                             \
   misc/date-sec                                        \
   misc/dircolors                               \
   misc/df                                      \
diff --git a/tests/misc/csplit-1000 b/tests/misc/csplit-1000
new file mode 100755
index 0000000..accbe46
--- /dev/null
+++ b/tests/misc/csplit-1000
@@ -0,0 +1,29 @@
+#!/bin/sh
+# various csplit tests
+
+# Copyright (C) 2010 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. "${srcdir=.}/init.sh"; path_prepend_ ../src
+test "$VERBOSE" = yes && FIXME --version
+
+# Before coreutils-8.7, this would overrun the 6-byte filename_space buffer.
+# It's hard to detect that without using valgrind, so here, we simply
+# run the demonstrator.
+seq 1000 | csplit - '/./' '{*}' || fail=1
+test -f xx1000 || fail=1
+test -f xx1001 && fail=1
+
+Exit $fail
--
1.7.3.2.4.g60aa9

[Prev in Thread]

Current Thread

[Next in Thread]

[coreutils] [PATCH] csplit: avoid buffer overrun when writing more than 999 files, Jim Meyering <=
- Re: [coreutils] [PATCH] csplit: avoid buffer overrun when writing more than 999 files, Pádraig Brady, 2010/11/10
  - Re: [coreutils] [PATCH] csplit: avoid buffer overrun when writing more than 999 files, Pádraig Brady, 2010/11/23

Prev by Date: Re: [coreutils] [patch] Re: Install enhancement request: capabilities
Next by Date: Re: [coreutils] [PATCH] csplit: avoid buffer overrun when writing more than 999 files
Previous by thread: [coreutils] test: fix a dash portability problem with redirected symlinked ttys
Next by thread: Re: [coreutils] [PATCH] csplit: avoid buffer overrun when writing more than 999 files
Index(es):
- Date
- Thread