NetBSD Problem Report #59453
From www@netbsd.org Sun Jun 1 19:03:50 2025
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 8DB981A923C
for <gnats-bugs@gnats.NetBSD.org>; Sun, 1 Jun 2025 19:03:50 +0000 (UTC)
Message-Id: <20250601190349.56DC11A923E@mollari.NetBSD.org>
Date: Sun, 1 Jun 2025 19:03:49 +0000 (UTC)
From: bad@bsd.de
Reply-To: bad@bsd.de
To: gnats-bugs@NetBSD.org
Subject: sed 's/^/\x23def/' output '=ef' instead of '#def'
X-Send-Pr-Version: www-1.0
>Number: 59453
>Category: bin
>Synopsis: sed 's/^/\x23def/' output '=ef' instead of '#def'
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: christos
>State: needs-pullups
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Jun 01 19:05:00 +0000 2025
>Closed-Date:
>Last-Modified: Thu Jun 19 12:36:20 +0000 2025
>Originator: Christoph Badura
>Release: 10.0
>Organization:
The Loops Are Hard, Let's Go Shopping Foundation
>Environment:
NetBSD morden.netbsd.org 10.0_STABLE NetBSD 10.0_STABLE (NBFTP) #0: Tue May 28 07:18:01 UTC 2024 spz@franklin.NetBSD.org:/home/netbsd/10/amd64/obj/sys/arch/amd64/compile/NBFTP amd64
>Description:
when processing a 's' command sed(1) does the following:
compile_subst(...): https://nxr.netbsd.org/xref/src/usr.bin/sed/compile.c#340
unescape(...): https://nxr.netbsd.org/xref/src/usr.bin/sed/compile.c#672
ston(&p, sp, 16): https://nxr.netbsd.org/xref/src/usr.bin/sed/compile.c#529
after swallowing "\x23" it decides to swallow another digit in
https://nxr.netbsd.org/xref/src/usr.bin/sed/compile.c#504
because at that point r=35 which is less then 255.
after swallowing 'd' r=573, the loop terminates and on line 588
that gets truncated to 61 ('=').
Obviously ston() shouldn't p++ if r has become to large.
This was introduce in r1.47
https://cvsweb.netbsd.org/bsdweb.cgi/src/usr.bin/sed/compile.c.diff?r1=1.47;r2=1.47.16.1
Of course, this would have been discovered early if a test case had
been added.
Discovered by leot@.
>How-To-Repeat:
echo | sed 's/^/\x23duh'
>Fix:
Once more with test case, please.
Needs pullup to -10. -9 is fine.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: bin-bug-people->christos
Responsible-Changed-By: bad@NetBSD.org
Responsible-Changed-When: Sun, 01 Jun 2025 19:17:52 +0000
Responsible-Changed-Why:
over to the author. can you take a look?
From: "Christoph Badura" <bad@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59453 CVS commit: src/tests/usr.bin/sed
Date: Sun, 1 Jun 2025 21:01:23 +0000
Module Name: src
Committed By: bad
Date: Sun Jun 1 21:01:23 UTC 2025
Modified Files:
src/tests/usr.bin/sed: t_sed.sh
Log Message:
add some test case for \[dox]number escapes to t_sed.sh
PR bin/59453
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 src/tests/usr.bin/sed/t_sed.sh
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "David H. Gutteridge" <david@gutteridge.ca>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/59453 (sed 's/^/\x23def/' output '=ef' instead of '#def')
Date: Sun, 01 Jun 2025 21:43:26 -0400
Commenting here solely on the specifics of the test case added, not the
underlying issue it illustrates. I assume that the new case was
intended to be enabled, so I just did so. I also moved it down so it's
next to a pre-existing case that's related. (Probably we want to tweak
the naming or collapse the cases together, but I just mechanically
moved it for now. It'd be interesting to understand what distinguishes
the old and new cases.)
Dave
From: Christoph Badura <bad@bsd.de>
To: gnats-bugs@netbsd.org
Cc: "David H. Gutteridge" <david@gutteridge.ca>
Subject: Re: bin/59453 (sed 's/^/\x23def/' output '=ef' instead of '#def')
Date: Mon, 2 Jun 2025 09:28:57 +0200
On Mon, Jun 02, 2025 at 01:45:02AM +0000, David H. Gutteridge via gnats wrote:
> Commenting here solely on the specifics of the test case added, not the
> underlying issue it illustrates. I assume that the new case was
> intended to be enabled, so I just did so. I also moved it down so it's
> next to a pre-existing case that's related. (Probably we want to tweak
> the naming or collapse the cases together, but I just mechanically
> moved it for now. It'd be interesting to understand what distinguishes
> the old and new cases.)
Thanks! I missed that yesterday.
--chris
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/59453 (sed 's/^/\x23def/' output '=ef' instead of '#def')
Date: Mon, 2 Jun 2025 12:12:16 +0200
This seems to be not documented anywhere. The gnu sed documentation does
not specify it clearly, but gnu sed takes one or two hex characters after
\x.
> echo | gsed 's/^/\x1023def/' | hexdump -C
00000000 10 32 33 64 65 66 0a |.23def.|
> echo | gsed 's/^/\x1t023def/' | hexdump -C
00000000 01 74 30 32 33 64 65 66 0a |.t023def.|
We should document it as GNU sed compatible extension (maybe borrowing
the portability warning from sh(1)).
Martin
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59453 CVS commit: src/usr.bin/sed
Date: Mon, 2 Jun 2025 09:34:40 -0400
Module Name: src
Committed By: christos
Date: Mon Jun 2 13:34:40 UTC 2025
Modified Files:
src/usr.bin/sed: compile.c
Log Message:
PR/59453: Christoph Badura: Don't keep accumulating characters when parsing
\[xod] escapes if the value exceeds the value a character can hold.
To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 src/usr.bin/sed/compile.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59453 CVS commit: src/usr.bin/sed
Date: Tue, 3 Jun 2025 19:02:29 +0000
Module Name: src
Committed By: martin
Date: Tue Jun 3 19:02:29 UTC 2025
Modified Files:
src/usr.bin/sed: compile.c
Log Message:
PR 59453: fix off by one in escape sequences length check
To generate a diff of this commit:
cvs rdiff -u -r1.54 -r1.55 src/usr.bin/sed/compile.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Christoph Badura" <bad@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59453 CVS commit: src/usr.bin/sed
Date: Thu, 19 Jun 2025 12:24:06 +0000
Module Name: src
Committed By: bad
Date: Thu Jun 19 12:24:06 UTC 2025
Modified Files:
src/usr.bin/sed: sed.1
Log Message:
document the escape sequences in REs and the substitute command
NB: gsed's "\cx" is not supported and hence not documented.
PR bin/59453
To generate a diff of this commit:
cvs rdiff -u -r1.43 -r1.44 src/usr.bin/sed/sed.1
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->needs-pullups
State-Changed-By: bad@NetBSD.org
State-Changed-When: Thu, 19 Jun 2025 12:36:20 +0000
State-Changed-Why:
compile.c r1.52-1.55 need to be pulled up to -10
sed.1 r1.44 needs to be pulled up to -10. r1.45 should be pulled up to.
maybe that can be combined?
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home