netbsd-bugs: bin/26363: script(1) core dumps when run made to playback a session recorded without the -r flag.

Subject: bin/26363: script(1) core dumps when run made to playback a session recorded without the -r flag.
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <hsaliak@gmail.com>
List: netbsd-bugs
Date: 07/19/2004 08:42:23

>Number:         26363
>Category:       bin
>Synopsis:       script(1) core dumps when run made to playback a session recorded without the -r flag.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jul 19 11:07:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Kailash Sethuraman
>Release:        NetBSD 2.0_BETA
>Organization:
-
>Environment:
NetBSD harold 2.0_BETA NetBSD 2.0_BETA (GENERIC_LAPTOP) #0: Sat Jun 12 11:59:40 SGT 2004  root@kasba:/usr/src/nbsd/obj/usr/src/nbsd/src/sys/arch/i386/compile/GENERIC_LAPTOP i386
$ ident /usr/bin/script 
/usr/bin/script:
     $NetBSD: crt0.c,v 1.13 2003/07/26 19:24:27 salo Exp $
     $NetBSD: script.c,v 1.9 2003/08/07 11:15:48 agc Exp $

>Description:
/usr/bin/script can be run to record sessions in the terminal and play them back.When sessions are recorded with the -r. script -p can be used on the output to play it back in real time. However when script -p is used to play back sessions NOT recorded with "script -r" but with just "script", it segmentation faults. This is because of inadequate checking performed to see if the stamp data in the input file is sane.
>How-To-Repeat:
The following sequence causes a core dump.
script has to log enough data larger than the stamp structure to cause a 
seg fault, therefore, the following commands cause a segmentation fault.
enter any large directory like /dev ,   
cd /dev
script  ~/typescript  
ls
exit
script -p ~/typescript
(Memory fault) 

 
>Fix:
The following patch does some error checking on the stamp data
read and bails if its not sane. 

--- script.c.orig       2004-07-19 14:02:46.000000000 +0000
+++ script.c    2004-07-19 17:37:46.000000000 +0000
@@ -331,6 +331,13 @@
                        err(1, "reading playback header");
 
                swapstamp(stamp);
+               if((stamp.scr_direction != 's' &&
+                   stamp.scr_direction!= 'e' && 
+                   stamp.scr_direction!= 'i' && 
+                   stamp.scr_direction!= 'o')||  
+                   (stamp.scr_len > BUFSIZ )) 
+                       err(EXIT_FAILURE,"invalid stamp input");
+
                l = fread(buf, 1, stamp.scr_len, fscript);
                clock = stamp.scr_sec;
                tso.tv_sec = stamp.scr_sec;

>Release-Note:
>Audit-Trail:
>Unformatted: