pr -e, with a mix of backspaces and TABs, could corrupt the heap

* tests/pr/Test.pm: New tests for the above.
* src/pr.c (char_to_clump): Ensure that "input_position" never
goes below 0.
Also, elide any backspace encountered when input_position is 0,
to be compatible at least with /bin/pr from Solaris 10.
This bug is present in the original version:
b25038ce9a234ea0906ddcbd8a0012e917e6c661
* NEWS [Bug fixes]: Mention this.
Report and diagnosis by Cristian Cadar, Daniel Dunbar and Dawson Engler
in http://thread.gmane.org/gmane.comp.gnu.coreutils.bugs/13272

1 files changed, 11 insertions, 1 deletions

diff --git a/tests/pr/Test.pm b/tests/pr/Test.pm
index 0bbad457f..5dea41690 100644
--- a/tests/pr/Test.pm
+++ b/tests/pr/Test.pm
@@ -1,6 +1,6 @@
 # -*-perl-*-
 
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2004, 2005, 2007
+# Copyright (C) 1996-2002, 2004, 2005, 2007-2008
 # Free Software Foundation, Inc.
 
 # This program is free software: you can redistribute it and/or modify
@@ -373,6 +373,16 @@ my @tv = (
 # Before coreutils-5.3.1, --pages=1:-1 would be treated like
 # --pages=1:18446744073709551615.
 ['neg-page', '--pages=1:-1', '', '', 1],
+
+# Up to coreutils-6.10, this would cause pr to decrement its
+# internal "input_position" below zero and sometimes segfault.
+['neg-inp-pos1', '-t -e', "\b\b\b\b\b\b\tx\n", "        x\n", 0],
+# NB: while there are 4 backspaces in the input, there are only 3 in the output
+['neg-inp-pos2', '-t -e', "abc\b\b\b\b\tx", "abc\b\b\b        x\n", 0],
+
+# This would clobber so much of the heap, it'd segfault or abort every time.
+['smash-heap', '-t -e300', "a".("\b"x50)."\t", "a\b".(" "x300)."\n", 0],
+['smash-heap8', '-t -e',   "a".("\b"x50)."\t", "a\b".(" "x  8)."\n", 0],
 );
 #']]);