>Number:         26775
>Category:       bin
>Synopsis:       patch have a bug in line option parsing
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Aug 27 08:45:01 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Johnny Billquist
>Release:        NetBSD 2.0G
>Organization:
>Environment:
	
	
System: NetBSD Bjarne.BQTnet.SE 2.0G NetBSD 2.0G (GENERIC) #1: Tue Aug 24 10:12:34 CEST 2004  root@Bjarne.BQTnet.SE:/usr/obj/sys/arch/alpha/compile/GENERIC alpha
Architecture: alpha
Machine: alpha
>Description:
patch does the command line option parsing in a way that sometimes
gets lost. Some options take arguments (such as -F) in which case
patch process the argument, and set the remaining string to "".
Patch loops through the remaining string, getting the next option
at the end of the loop through a char pointer, which it does a
pre-increment on. When having set the remaining string to "", a
pre-increment of the pointer means that the pointer points past
the NUL char, into unknown values...
>How-To-Repeat:
For me, a simple "patch -F0" gave an error.
>Fix:
Patch to patch included:
---
Index: patch.c
===================================================================
RCS file: /cvsroot/src/usr.bin/patch/patch.c,v
retrieving revision 1.21
diff -r1.21 patch.c
462,463c462,463
< 	    if (*(s + 1) == '-') {
< 		opt = decode_long_option(s + 2);
---
> 	    if (*(++s) == '-') {
> 		opt = decode_long_option(++s);
467c467
< 		opt = *++s;
---
> 		opt = *s++;
481c481
< 		    if (!*++s)
---
> 		    if (!*s)
489c489
< 		    if (!*++s)
---
> 		    if (!*s)
509c509
< 		    if (*++s == '=')
---
> 		    if (*s == '=')
532c532
< 		    if (*++s == '=')
---
> 		    if (*s == '=')
566c566
< 		    debug = atoi(s+1);
---
> 		    debug = atoi(s);
581c581
< 		opt = *++s;
---
> 		opt = *s++;

>Release-Note:
>Audit-Trail:
>Unformatted: