NetBSD Problem Report #59903
From mac@culver.net Sat Jan 10 00:58:54 2026
Return-Path: <mac@culver.net>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.netbsd.org", Issuer "R13" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id C49261A923C
for <gnats-bugs@gnats.NetBSD.org>; Sat, 10 Jan 2026 00:58:54 +0000 (UTC)
Message-Id: <20260110005128.05D2717C4F13@ss.culver.net>
Date: Sat, 10 Jan 2026 00:51:28 +0000 (UTC)
From: mac@culver.net
Reply-To: mac@culver.net
To: gnats-bugs@NetBSD.org
Subject: rs dumps core on valid input
X-Send-Pr-Version: 3.95
X-From4GNATS: "mac@culver.net via gnats" <gnats-admin@NetBSD.org>
>Number: 59903
>Category: bin
>Synopsis: rs dumps core on valid input
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Jan 10 01:00:00 +0000 2026
>Last-Modified: Sun Jan 11 03:15:01 +0000 2026
>Originator: mac@culver.net
>Release: NetBSD 10.1
>Organization:
>Environment:
System: NetBSD SS.Culver.Net 10.1 NetBSD 10.1 (MIKE-$Revision: 2025-Dec-27 $) #1: Sun Dec 28 19:39:48 UTC 2025 mac@SS.Culver.Net:/usr/src/sys/arch/amd64/compile/MIKE amd64 My kernel is just a rename of GENERIC
Architecture: x86_64
Machine: amd64
>Description:
rs appears to work properly most of the time, but by accident I found the following error
>How-To-Repeat:
file '2x2' contains:
43 76
27 29
file '2x10' contains"
43 27 8 22 12 78 18 43 41 13
76 29 85 100 34 78 45 80 24 50
$ cat 2x2
43 76
27 29
$ rs -tz < 2x2
43 76 27 29
$ cat 2x10
43 27 8 22 12 78 18 43 41 13
76 29 85 100 34 78 45 80 24 50
$ rs -tz < 2x10
zsh: segmentation fault rs -tz < 2x10
I did not try reducing the seg fault input more than this 2x10 example
test files generated by playing around with this:
$ cd /tmp
$ jot -r 100 | rs 10 10 | tee 10x10 | rs -T > T10x10
$ head -2 T10x10 > 2x10
$ rs < 2x10 | rs | head -4 | rs 2 2 > 2x2
$ rs -tz < 2x10
zsh: segmentation fault rs -tz < 2x10
I believe the problem is specific input data, to wit:
$ cat 2x10
43 27 8 22 12 78 18 43 41 13
76 29 85 100 34 78 45 80 24 50
$ rs -z -t < 2x10
zsh: segmentation fault (core dumped) rs -z -t < 2x10 ;; switch order is irrelevant
$ cat /tmp/2x10
97 2 2 29 40 6 67 36 54 78
88 14 26 77 10 85 9 65 96 97
$ rs -t -z < /tmp/2x10
97 2 2 29 40 6 67 36 54 78 88 14 26 77 10 85 9 65 96 97
FINALLY, if I change the "100" in the 'bad' file to, say, 99 --- no problem. to 101? same problem.
>Fix:
>Audit-Trail:
From: "Michael van Elst" <mlelstv@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59903 CVS commit: src/usr.bin/rs
Date: Sat, 10 Jan 2026 08:09:03 +0000
Module Name: src
Committed By: mlelstv
Date: Sat Jan 10 08:09:03 UTC 2026
Modified Files:
src/usr.bin/rs: rs.c
Log Message:
Avoid coredump when calculated output array exceeds input data size.
Fixes PR 59903
While here, resist attempt to understand or fix traditional behaviour.
To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 src/usr.bin/rs/rs.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: RVP <rvp@SDF.ORG>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/59903: rs dumps core on valid input
Date: Sat, 10 Jan 2026 07:18:36 +0000 (UTC)
On Sat, 10 Jan 2026, mac@culver.net via gnats wrote:
> $ cat 2x10
> 43 27 8 22 12 78 18 43 41 13
> 76 29 85 100 34 78 45 80 24 50
>
> $ rs -tz < 2x10
> zsh: segmentation fault rs -tz < 2x10
> [...]
> test files generated by playing around with this:
>
> $ cd /tmp
> $ jot -r 100 | rs 10 10 | tee 10x10 | rs -T > T10x10
> [...]
>
These also fail:
```
$ jot 100 | rs -tz # calculated orows * ocols > nelem
$ jot 99 | rs -tz 10 10 # dim > nelem
```
Looks like it's walking off the end of the `elem' array. Can you try:
---START patch---
diff -urN a/src/usr.bin/rs/rs.c b/src/usr.bin/rs/rs.c
--- a/src/usr.bin/rs/rs.c 2023-08-10 20:36:29.000000000 +0000
+++ b/src/usr.bin/rs/rs.c 2026-01-10 06:28:57.921214613 +0000
@@ -295,9 +295,12 @@
if (flags & SQUEEZE) {
if (flags & TRANSPOSE)
for (ep = elem, i = 0; i < ocols; i++) {
- for (j = 0; j < orows; j++)
+ for (j = 0; j < orows; j++) {
+ if (ep >= elem + nelem)
+ break;
if ((n = strlen(*ep++)) > max)
max = n;
+ }
colwidths[i] = max + gutter;
}
else
---END patch---
-RVP
From: Michael Cheponis <michael.cheponis@gmail.com>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, mac@culver.net
Subject: Re: bin/59903: rs dumps core on valid input
Date: Sat, 10 Jan 2026 19:14:18 -0800
--00000000000092aac4064814295b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
This patch works for me (I had some additional test cases I didn't put in
the pr; they pass now).
To my eyes:
1) Gosh, there are precious few comments in there
2) Definitely some questionable code style choices for 2026 C
Thanks for the quick turn-around.
-Mike
On Sat, Jan 10, 2026 at 1:45=E2=80=AFAM RVP via gnats <gnats-admin@netbsd.o=
rg>
wrote:
> The following reply was made to PR bin/59903; it has been noted by GNATS.
>
> From: RVP <rvp@SDF.ORG>
> To: gnats-bugs@netbsd.org
> Cc:
> Subject: Re: bin/59903: rs dumps core on valid input
> Date: Sat, 10 Jan 2026 07:18:36 +0000 (UTC)
>
> On Sat, 10 Jan 2026, mac@culver.net via gnats wrote:
>
> > $ cat 2x10
> > 43 27 8 22 12 78 18 43 41 13
> > 76 29 85 100 34 78 45 80 24 50
> >
> > $ rs -tz < 2x10
> > zsh: segmentation fault rs -tz < 2x10
> > [...]
> > test files generated by playing around with this:
> >
> > $ cd /tmp
> > $ jot -r 100 | rs 10 10 | tee 10x10 | rs -T > T10x10
> > [...]
> >
>
> These also fail:
>
> ```
> $ jot 100 | rs -tz # calculated orows * ocols > nelem
> $ jot 99 | rs -tz 10 10 # dim > nelem
> ```
>
> Looks like it's walking off the end of the `elem' array. Can you try:
>
> ---START patch---
> diff -urN a/src/usr.bin/rs/rs.c b/src/usr.bin/rs/rs.c
> --- a/src/usr.bin/rs/rs.c 2023-08-10 20:36:29.000000000 +0000
> +++ b/src/usr.bin/rs/rs.c 2026-01-10 06:28:57.921214613 +0000
> @@ -295,9 +295,12 @@
> if (flags & SQUEEZE) {
> if (flags & TRANSPOSE)
> for (ep =3D elem, i =3D 0; i < ocols; i++) {
> - for (j =3D 0; j < orows; j++)
> + for (j =3D 0; j < orows; j++) {
> + if (ep >=3D elem + nelem)
> + break;
> if ((n =3D strlen(*ep++)) > max)
> max =3D n;
> + }
> colwidths[i] =3D max + gutter;
> }
> else
> ---END patch---
>
> -RVP
>
>
--00000000000092aac4064814295b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:arial,he=
lvetica,sans-serif;font-size:small">This patch works for me (I had some add=
itional test cases I didn't put in the pr; they pass now).</div><div cl=
ass=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font-=
size:small"><br></div><div class=3D"gmail_default" style=3D"font-family:ari=
al,helvetica,sans-serif;font-size:small">To my eyes:</div><div class=3D"gma=
il_default" style=3D"font-family:arial,helvetica,sans-serif;font-size:small=
"><br></div><div class=3D"gmail_default" style=3D"font-family:arial,helveti=
ca,sans-serif;font-size:small">1) Gosh, there are precious few comments in =
there</div><div class=3D"gmail_default" style=3D"font-family:arial,helvetic=
a,sans-serif;font-size:small"><br></div><div class=3D"gmail_default" style=
=3D"font-family:arial,helvetica,sans-serif;font-size:small">2) Definitely s=
ome questionable code style choices for 2026 C</div><div class=3D"gmail_def=
ault" style=3D"font-family:arial,helvetica,sans-serif;font-size:small"><br>=
</div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,san=
s-serif;font-size:small">Thanks for the quick turn-around.</div><div class=
=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font-siz=
e:small"><br></div><div class=3D"gmail_default" style=3D"font-family:arial,=
helvetica,sans-serif;font-size:small">-Mike</div><div class=3D"gmail_defaul=
t" style=3D"font-family:arial,helvetica,sans-serif;font-size:small"><br></d=
iv></div><br><div class=3D"gmail_quote gmail_quote_container"><div dir=3D"l=
tr" class=3D"gmail_attr">On Sat, Jan 10, 2026 at 1:45=E2=80=AFAM RVP via gn=
ats <<a href=3D"mailto:gnats-admin@netbsd.org">gnats-admin@netbsd.org</a=
>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px=
0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">The=
following reply was made to PR bin/59903; it has been noted by GNATS.<br>
<br>
From: RVP <<a href=3D"mailto:rvp@SDF.ORG" target=3D"_blank">rvp@SDF.ORG<=
/a>><br>
To: <a href=3D"mailto:gnats-bugs@netbsd.org" target=3D"_blank">gnats-bugs@n=
etbsd.org</a><br>
Cc: <br>
Subject: Re: bin/59903: rs dumps core on valid input<br>
Date: Sat, 10 Jan 2026 07:18:36 +0000 (UTC)<br>
<br>
=C2=A0On Sat, 10 Jan 2026, <a href=3D"mailto:mac@culver.net" target=3D"_bla=
nk">mac@culver.net</a> via gnats wrote:<br>
<br>
=C2=A0> $ cat 2x10<br>
=C2=A0> 43=C2=A0 =C2=A027=C2=A0 =C2=A08=C2=A0 =C2=A0 22=C2=A0 =C2=A012=
=C2=A0 =C2=A078=C2=A0 =C2=A018=C2=A0 =C2=A043=C2=A0 =C2=A041=C2=A0 =C2=A013=
<br>
=C2=A0> 76=C2=A0 =C2=A029=C2=A0 =C2=A085=C2=A0 =C2=A0100=C2=A0 34=C2=A0 =
=C2=A078=C2=A0 =C2=A045=C2=A0 =C2=A080=C2=A0 =C2=A024=C2=A0 =C2=A050<br>
=C2=A0><br>
=C2=A0> $ rs -tz < 2x10<br>
=C2=A0> zsh: segmentation fault=C2=A0 rs -tz < 2x10<br>
=C2=A0> [...]<br>
=C2=A0> test files generated by playing around with this:<br>
=C2=A0><br>
=C2=A0> $ cd /tmp<br>
=C2=A0> $ jot -r 100 | rs 10 10 | tee 10x10 | rs -T > T10x10<br>
=C2=A0> [...]<br>
=C2=A0><br>
<br>
=C2=A0These also fail:<br>
<br>
=C2=A0```<br>
=C2=A0$ jot 100 | rs -tz=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0# c=
alculated orows * ocols > nelem<br>
=C2=A0$ jot 99 | rs -tz 10 10=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 # dim > nelem<br>
=C2=A0```<br>
<br>
=C2=A0Looks like it's walking off the end of the `elem' array. Can =
you try:<br>
<br>
=C2=A0---START patch---<br>
=C2=A0diff -urN a/src/usr.bin/rs/rs.c b/src/usr.bin/rs/rs.c<br>
=C2=A0--- a/src/usr.bin/rs/rs.c=C2=A0 =C2=A0 =C2=A0 2023-08-10 20:36:29.000=
000000 +0000<br>
=C2=A0+++ b/src/usr.bin/rs/rs.c=C2=A0 =C2=A0 =C2=A0 2026-01-10 06:28:57.921=
214613 +0000<br>
=C2=A0@@ -295,9 +295,12 @@<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 if (flags & SQUEEZE) {<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 if (flags & TRA=
NSPOSE)<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 for (ep =3D elem, i =3D 0; i < ocols; i++) {<br>
=C2=A0-=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 for (j =3D 0; j < orows; j++)<br>
=C2=A0+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 for (j =3D 0; j < orows; j++) {<b=
r>
=C2=A0+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 if (ep &=
gt;=3D elem + nelem)<br>
=C2=A0+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 break;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 if ((n =
=3D strlen(*ep++)) > max)<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 max =3D n;<br>
=C2=A0+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 }<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 colwidths[i] =3D max + gutter;<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 }<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 else<br>
=C2=A0---END patch---<br>
<br>
=C2=A0-RVP<br>
<br>
</blockquote></div>
--00000000000092aac4064814295b--
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2026
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home