Bug#339042: buffer overflow in bsdmainutils/column [patch included]

Mon, 14 Nov 2005 09:48:13 -0800 

Package: bsdmainutils
Version: 6.1.2
Version: 6.0.17
Severity: important

 hit this in 6.0.17 (sarge)
 still present in 6.1.2, against which the included patch is.
 probably present in all versions.

Symptoms:

  segfault or HUGE memory consumption.

Reproduce:

  #!/bin/bash
  X=$(echo "x "{,,,}{,,,}{,,,})
  # or perl -e 'print "x " x 64'
  # just so we will need a large number of columns
  # bug triggers as soon as about 36 columns
  # (which is obvious from the code)
  echo $X | column -t 

  output:
  huge amount of whitespace or segfault...
  so to try it, you may rather want to do
  echo $X | column -t | head -c 200 

  or do this:
  K=",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"
  i=20
  while let "i++ < 40"; do
        eval "echo 'x '{${K::i}}" | ./column.broken -t | head -c 999999 | wc
        R=${PIPESTATUS[1]}
  done

  output:
      1      22      65
      1      23      68
      1      24      71
      1      25      74
      1      26      77
      1      27      80
      1      28      83
      1      29      86
      1      30      89
      1      31      92
      1      32      95
      1      33      98
      1      34     101
      0       1  999999
      0       1  999999
      0       1  999999
      0       1  999999
      0       1  999999
      0       1  999999
      0       1  999999

Fix:

  s/int/size_t/ may not be what you want to do.
  the "most simple" fix is 
      - realloc(cols,  maxcols + DEFCOLS  * sizeof(*char))
      + realloc(cols, (maxcols + DEFCOLS) * sizeof(whatever))
                      ^                 ^

--- /home/lars/tmp/bsdmainutils-6.1.2/usr.bin/column/column.c.orig      
2005-06-08 03:28:16.000000000 +0200
+++ /home/lars/tmp/bsdmainutils-6.1.2/usr.bin/column/column.c   2005-11-10 
01:39:34.000000000 +0100
@@ -203,7 +203,7 @@
        char **list;
        int cols, *len;
 } TBL;
-#define        DEFCOLS 25
+#define        DEFCOLS ((size_t)25u)
 
 void
 maketbl(void)
@@ -211,7 +211,7 @@
        TBL *t;
        int coloff, cnt;
        char *p, **lp;
-       int *lens, maxcols;
+       size_t *lens, maxcols;
        TBL *tbl;
        char **cols;
 
@@ -225,13 +225,13 @@
                for (coloff = 0, p = *lp; (cols[coloff] = lstrtok(p, 
separator));
                    p = NULL)
                        if (++coloff == maxcols) {
-                               if (!(cols = realloc(cols, (u_int)maxcols +
-                                   DEFCOLS * sizeof(char *))) ||
+                               if (!(cols = realloc(cols,
+                                     (maxcols + DEFCOLS) * sizeof(*cols))) ||
                                    !(lens = realloc(lens,
-                                   (u_int)maxcols + DEFCOLS * sizeof(int))))
+                                     (maxcols + DEFCOLS) * sizeof(*lens))))
                                        err(1, NULL);
-                               memset((char *)lens + maxcols * sizeof(int),
-                                   0, DEFCOLS * sizeof(int));
+                               memset((char *)lens + maxcols * sizeof(*lens),
+                                   0, DEFCOLS * sizeof(*lens));
                                maxcols += DEFCOLS;
                        }
                if ((t->list = calloc(coloff, sizeof(char *))) == NULL)


Thanks,

-- 
: Lars Ellenberg                                  Tel +43-1-8178292-0  :
: LINBIT Information Technologies GmbH            Fax +43-1-8178292-82 :
: Schoenbrunner Str. 244, A-1120 Vienna/Europe   http://www.linbit.com :


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to