diff options
| author | Todd C. Miller <millert@cvs.openbsd.org> | 2002-04-15 21:47:46 +0000 |
|---|---|---|
| committer | Todd C. Miller <millert@cvs.openbsd.org> | 2002-04-15 21:47:46 +0000 |
| commit | 89a6deaf15ff7422cfd847c74200248d5914289f (patch) | |
| tree | 9fd8b9e061527fd3083e3d7bc331c5bdab791ff8 | |
| parent | 5904cdce122377e21d06a325481a1f73e300d43a (diff) | |
Fix sed(1) in the case where a last line is specified and hold space
is not specified, and then the first part of the pattern space is
deleted, when there are two or more input lines, as this results
in subtraction of one from an unsigned integral value of '0'. That
bogus value is used in one case for a loop (that will run far too
many times in this case) and a function to search for a value within
a specified range of memory, however now the range of memory is
obscenely large and a segmentation (or memory) fault will occur.
This is fixed by checking for and appropriately handling a nil
pattern space as if the specified search in memory failed, as indeed
it obviously will with nil pattern space.
From Tim J. Robbins by way of FreeBSD
| -rw-r--r-- | usr.bin/sed/process.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/usr.bin/sed/process.c b/usr.bin/sed/process.c index 2020f5f2c74..af12c21ac8c 100644 --- a/usr.bin/sed/process.c +++ b/usr.bin/sed/process.c @@ -1,4 +1,4 @@ -/* $OpenBSD: process.c,v 1.7 2002/02/16 21:27:52 millert Exp $ */ +/* $OpenBSD: process.c,v 1.8 2002/04/15 21:47:45 millert Exp $ */ /*- * Copyright (c) 1992 Diomidis Spinellis. @@ -39,7 +39,7 @@ #ifndef lint /* from: static char sccsid[] = "@(#)process.c 8.1 (Berkeley) 6/6/93"; */ -static char *rcsid = "$OpenBSD: process.c,v 1.7 2002/02/16 21:27:52 millert Exp $"; +static char *rcsid = "$OpenBSD: process.c,v 1.8 2002/04/15 21:47:45 millert Exp $"; #endif /* not lint */ #include <sys/types.h> @@ -134,7 +134,8 @@ redirect: case 'D': if (pd) goto new; - if ((p = memchr(ps, '\n', psl - 1)) == NULL) { + if (psl == 0 || + (p = memchr(ps, '\n', psl - 1)) == NULL) { pd = 1; goto new; } else { @@ -186,7 +187,8 @@ redirect: case 'P': if (pd) break; - if ((p = memchr(ps, '\n', psl - 1)) != NULL) { + if (psl != 0 && + (p = memchr(ps, '\n', psl - 1)) != NULL) { oldpsl = psl; psl = (p + 1) - ps; } @@ -239,7 +241,7 @@ redirect: HS = tspace; break; case 'y': - if (pd) + if (pd || psl == 0) break; for (p = ps, len = psl; --len; ++p) *p = cp->u.y[(unsigned char)*p]; |