Package: gawk
Version: 1:4.1.1+dfsg-1
Severity: important
Dear Maintainer,
While I appreciate that passing untrusted code to gawk is not a common thing to
do, I do not believe that it should be possible to trigger a segfault though.
The following "program" will crash gawk though:
$ echo | gawk '{ print( @olower( "steve" ) ) }'
gawk: cmd. line:1: (FILENAME=- FNR=1) fatal error: internal error: segfault
Aborted
The specific problem here is the error-handling in `interpret.h`, which
contains the following code:
if (f == NULL || f->type != Node_func) {
if (f->type == Node_ext_func || f->type == Node_old_ext_func)
fatal(_("cannot (yet) call extension functions
indirectly"));
else
fatal(_("function called indirectly through `%s' does not
exist"),
pc->func_name);
}
pc->func_body = f; /* save for next call */
The first condition says:
* If f is NULL
* OR f->type != ..
Assume f is NULL, then the very next line reads:
if ( f->type == .... )
Which is an immediate segfault! One possible patch would be to change this:
if (f->type == Node_ext_func || f->type == Node_old_ext_func)
To the following, to explicitly look for a non-NULL f:
if ( f && (f->type == Node_ext_func || f->type ==
Node_old_ext_func) )
-- System Information:
Debian Release: 8.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages gawk depends on:
ii libc6 2.19-18+deb8u3
ii libgmp10 2:6.0.0+dfsg-6
ii libmpfr4 3.1.2-2
ii libreadline6 6.3-8+b3
ii libsigsegv2 2.10-4+b1
gawk recommends no packages.
Versions of packages gawk suggests:
pn gawk-doc <none>
-- no debconf information
