I was playing around with afl-fuzz and decided to test the sed -f input, which very quickly found this (in less than one second).
I don't quite understand the parsing and "repurpose hit" comment, but I think this is what was intended. pline is checked for NULL at line 761, but not at line 767 (and passed as NULL on line 1040). The test catches the segfault. Andy
From 9f181b9d15038cd55d0eff59011f88d61fd708dc Mon Sep 17 00:00:00 2001 From: Andy Chu <[email protected]> Date: Sun, 6 Mar 2016 09:49:50 -0800 Subject: [PATCH] Fix segfault in sed -e 'c\'. Found by afl-fuzz. --- tests/sed.test | 3 +++ toys/posix/sed.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/sed.test b/tests/sed.test index 280b466..ec06baa 100755 --- a/tests/sed.test +++ b/tests/sed.test @@ -77,6 +77,9 @@ testing "c {range}" "sed -e '2,4{c blah' -e '}'" \ "" "one\ntwo\nthree\nfour\nfive\nsix" testing "c multiple continuation" \ "sed -e 'c\\' -e 'two\\' -e ''" "two\n\n" "" "hello" +# NOTE: will print 'unfinished c' to stderr and exit 1 +testing "c empty continuation" \ + "sed -e 'c\\'" "" "" "hello" testing "D further processing depends on whether line is blank" \ "sed -e '/one/,/three/{' -e 'i meep' -e'N;2D;}'" \ "meep\nmeep\ntwo\nthree\n" "" "one\ntwo\nthree\n" diff --git a/toys/posix/sed.c b/toys/posix/sed.c index 9b5e666..3def9d4 100644 --- a/toys/posix/sed.c +++ b/toys/posix/sed.c @@ -764,7 +764,7 @@ static void jewel_of_judgement(char **pline, long len) // Append additional line to pattern argument string? // We temporarily repurpose "hit" to indicate line continuations if (corwin && corwin->prev->hit) { - if (!*pline) error_exit("unfinished %c", corwin->prev->c);; + if (!pline || !*pline) error_exit("unfinished %c", corwin->prev->c);; // Remove half-finished entry from list so remalloc() doesn't confuse it TT.pattern = TT.pattern->prev; corwin = dlist_pop(&TT.pattern); -- 1.9.1
_______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
