Subject: bin/1356: [dM] join can coredump
To: None <gnats-bugs@gnats.netbsd.org>
From: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
List: netbsd-bugs
Date: 08/14/1995 14:05:44
>Number: 1356
>Category: bin
>Synopsis: [dM] join can coredump
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Aug 14 14:20:01 1995
>Last-Modified:
>Originator: der Mouse
>Organization:
Dis-
>Release: -current as of August 11th
>Environment:
SPARC IPC, but it's machine-independent
>Description:
join can coredump by calling strcmp() with a nil pointer, if an
input line contains exactly one field too few for the -j
option's field to be present. The problem appears to be that
cmp() uses < rather than <= when comparing field numbers
against field counts. (I conjecture someone forgot which
numbers were 0-origin and which 1-origin.)
>How-To-Repeat:
% cat > z.1
a b
c d
^D
% cat > z.2
a
e d
^D
% join -j 2 z.1 z.2
Segmentation fault
>Fix:
This seems to stop the coredumping, though join still seems to
misbehave a little; for example, the example above produces no
output, rather than the "d c e" line that it seems to me it
should.
*** /sources/working-usr-src/usr.bin/join/join.c Tue May 30 08:49:41 1995
--- join.c Mon Aug 14 13:53:36 1995
***************
*** 356,364 ****
LINE *lp1, *lp2;
u_long fieldno1, fieldno2;
{
! if (lp1->fieldcnt < fieldno1)
return (lp2->fieldcnt < fieldno2 ? 0 : 1);
! if (lp2->fieldcnt < fieldno2)
return (-1);
return (strcmp(lp1->fields[fieldno1], lp2->fields[fieldno2]));
}
--- 356,364 ----
LINE *lp1, *lp2;
u_long fieldno1, fieldno2;
{
! if (lp1->fieldcnt <= fieldno1)
return (lp2->fieldcnt < fieldno2 ? 0 : 1);
! if (lp2->fieldcnt <= fieldno2)
return (-1);
return (strcmp(lp1->fields[fieldno1], lp2->fields[fieldno2]));
}
der Mouse
mouse@collatz.mcrcim.mcgill.edu
>Audit-Trail:
>Unformatted: