tag 22489 notabug close 22489 stop Hello WangLei,
Thank you for the report, however this is not a bug. On 01/29/2016 07:38 AM, Lei Wang wrote:
Version: GNU Coreutils 8.20-8.25 File: tail.c Bug description: Line 1979, parse_obsolete_option() function has three parameters: argc, argv, n_units. We only need to focus on argc and argv, which is from the main() function. Line 1992 filter the argc and argv. When argc==2, line 1998 p = argv[1], line 2000 *p++, then *p=argv[1][1], line 2026 while (ISDIGIT (*p)) access p. There is one condition can lead to program overflow, thus argc==2 and argv[1] has only one character, for example ./tail x , will access the next character after x, this maybe a bug, but can not lead program crash. --WangLei
Case 1: based on your scenario of './tail x' , in tail.c:2000, the value of (*p++) is the character 'x'. The switch statement will therefore go to the 'default' case and return immediately (line 2003). Case 2: if it is run with './tail -', the value of (*p++) in tail.c:2000 is '-', and the corresponding case will 'return false' because "obsolete_usage" is false (line 2008). Case 3: if it is run with '_POSIX2_VERSION=100 ./tail -' , the flow will indeed progress to line 2026 . But note that the original value 'p' points to a null-terminated string, which contains "-\0" . Advancing 'p' with (*p++) means '*p' is a non-null pointer, pointing to a NUL character (ascii 0x00). thus, checking 'ISDIGIT(*p)' is valid and does not cause any problem. If you have a different case in mind, please reply to this thread and an example. I'm therefor closing the bug, but discussion can continue. regards, - assaf
