NetBSD Problem Report #53597

From www@NetBSD.org  Wed Sep 12 09:03:56 2018
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id C39B77A111
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 12 Sep 2018 09:03:55 +0000 (UTC)
Message-Id: <20180912090354.8EC057A1FE@mollari.NetBSD.org>
Date: Wed, 12 Sep 2018 09:03:54 +0000 (UTC)
From: horimoto@clear-code.com
Reply-To: horimoto@clear-code.com
To: gnats-bugs@NetBSD.org
Subject: libedit segfault at character decoding error in history_load function
X-Send-Pr-Version: www-1.0

>Number:         53597
>Category:       lib
>Synopsis:       libedit segfault at character decoding error in history_load function
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          needs-pullups
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Sep 12 09:05:00 +0000 2018
>Closed-Date:    
>Last-Modified:  Sat Sep 22 06:46:51 +0000 2018
>Originator:     Yasuhiro Horimoto
>Release:        NetBSD: history.c,v 1.59 2017/12/23 18:25:03
>Organization:
>Environment:
Linux 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u4 (2018-08-21) x86_64 GNU/Linux
>Description:
When load a history file containing a broken encoding character, libedit is crash.
>How-To-Repeat:
1. We make a file in below a way.

ruby -e 'puts("_HiStOrY_V2_"); puts("\xff")' > ~/.history-file

2. We load the file above.

>Fix:
--- history.c	2018-05-26 03:09:38.000000000 +0900
+++ history.c	2018-09-11 17:20:21.414631546 +0900
@@ -810,6 +810,8 @@
 			ptr = nptr;
 		}
 		(void) strunvis(ptr, line);
+                if (ct_decode_string(ptr, &conv) == NULL)
+                  continue;
 		if (HENTER(h, &ev, ct_decode_string(ptr, &conv)) == -1) {
 			i = -1;
 			goto oomem;

>Release-Note:

>Audit-Trail:
From: Horimoto Yasuhiro <horimoto@clear-code.com>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: lib/53597
Date: Wed, 12 Sep 2018 19:02:26 +0900

 I send better patch.

 >Fix:

 --- history.c	2018-05-26 03:09:38.000000000 +0900
 +++ history.c	2018-09-12 18:44:00.433209910 +0900
 @@ -778,6 +778,7 @@
  	char *ptr;
  	int i = -1;
  	TYPE(HistEvent) ev;
 +	Char *decode_result;
  #ifndef NARROWCHAR
  	static ct_buffer_t conv;
  #endif
 @@ -810,7 +811,10 @@
  			ptr = nptr;
  		}
  		(void) strunvis(ptr, line);
 -		if (HENTER(h, &ev, ct_decode_string(ptr, &conv)) == -1) {
 +		decode_result = ct_decode_string(ptr, &conv);
 +		if (decode_result == NULL)
 +			continue;
 +		if (HENTER(h, &ev, decode_result) == -1) {
  			i = -1;
  			goto oomem;
  		}

From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/53597 CVS commit: src/lib/libedit
Date: Wed, 12 Sep 2018 18:10:35 -0400

 Module Name:	src
 Committed By:	christos
 Date:		Wed Sep 12 22:10:35 UTC 2018

 Modified Files:
 	src/lib/libedit: history.c

 Log Message:
 PR/53597: Yasuhiro Horimoto: Avoid segmentation fault in bad history file.


 To generate a diff of this commit:
 cvs rdiff -u -r1.59 -r1.60 src/lib/libedit/history.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: Robert Elz <kre@munnari.OZ.AU>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: PR/53597 CVS commit: src/lib/libedit
Date: Thu, 13 Sep 2018 06:27:21 +0700

     Date:        Wed, 12 Sep 2018 22:15:01 +0000 (UTC)
     From:        "Christos Zoulas" <christos@netbsd.org>
     Message-ID:  <20180912221501.5DA747A212@mollari.NetBSD.org>

   |  PR/53597: Yasuhiro Horimoto: Avoid segmentation fault in bad history file.


                 (void) strunvis(ptr, line);
 +               decode_result = ct_decode_string(ptr, &conv);
 +               if (decode_result == NULL)
 +                       continue;
                 if (HENTER(h, &ev, ct_decode_string(ptr, &conv)) == -1) {

 might that be decode_result rather than ct_decode_string(ptr, &conv)
 (repated call) in the call of HENTER ?

 kre

State-Changed-From-To: open->needs-pullups
State-Changed-By: maya@NetBSD.org
State-Changed-When: Sat, 22 Sep 2018 06:46:51 +0000
State-Changed-Why:
needs history.c:1.59-1.62


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.