paste -d\\: avoid heap overrun for backslash at end of delim list

* src/paste.c: Include "quotearg.h".
(collapse_escapes): Handle backslash-escaped backslash explicitly.
Handle unescaped backslash at end of string by returning nonzero,
rather than by overrunning memory.
(main): Diagnose an invalid delimiter list -- carefully.
Reported by Cristian Cadar, Daniel Dunbar and Dawson Engler.
* tests/misc/paste-no-nl (delim-bs): Add a test to demonstrate the
heap-smashing capability.
(delim-bs2): Prior to coreutils-5.1.2, this bug was a little harder
to demonstrate: it would corrupt a first-argument containing e.g., \b
* NEWS: Mention the bug fix.
* tests/misc/Makefile.am (TESTS): Reflect renaming.
* tests/misc/paste: Rename from paste-no-nl.

Signed-off-by: Jim Meyering <meyering@redhat.com>

2 files changed, 23 insertions, 6 deletions

diff --git a/tests/misc/Makefile.am b/tests/misc/Makefile.am
index f3ed13209..17a0ec08d 100644
--- a/tests/misc/Makefile.am
+++ b/tests/misc/Makefile.am
@@ -80,7 +80,7 @@ TESTS = \
   nohup \
   od-N \
   od-x8 \
-  paste-no-nl \
+  paste \
   pathchk1 \
   printf \
   printf-hex \
diff --git a/tests/misc/paste-no-nl b/tests/misc/paste
index ec2399182..ab923a22a 100755
--- a/tests/misc/paste-no-nl
+++ b/tests/misc/paste
@@ -1,8 +1,8 @@
 #!/bin/sh
 # -*- perl -*-
-# Ensure that paste properly handles files lacking a final newline.
+# Test paste.
 
-# Copyright (C) 2003, 2005, 2007 Free Software Foundation, Inc.
+# Copyright (C) 2003, 2005, 2007-2008 Free Software Foundation, Inc.
 
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -28,13 +28,15 @@ use strict;
 
 (my $program_name = $0) =~ s|.*/||;
 
-$ENV{PROG} = 'paste';
-
 # Turn off localization of executable's ouput.
 @ENV{qw(LANGUAGE LANG LC_ALL)} = ('C') x 3;
 
+my $prog = 'paste';
+my $msg = "$prog: delimiter list ends with an unescaped backslash: ";
+
 my @Tests =
   (
+   # Ensure that paste properly handles files lacking a final newline.
    ['no-nl-1', {IN=>"a"},   {IN=>"b"},   {OUT=>"a\tb\n"}],
    ['no-nl-2', {IN=>"a\n"}, {IN=>"b"},   {OUT=>"a\tb\n"}],
    ['no-nl-3', {IN=>"a"},   {IN=>"b\n"}, {OUT=>"a\tb\n"}],
@@ -46,12 +48,27 @@ my @Tests =
    ['no-nla2', '-d" "', {IN=>"1\na\n"}, {IN=>"2\nb"},   {OUT=>"1 2\na b\n"}],
    ['no-nla3', '-d" "', {IN=>"1\na"},   {IN=>"2\nb\n"}, {OUT=>"1 2\na b\n"}],
    ['no-nla4', '-d" "', {IN=>"1\na\n"}, {IN=>"2\nb\n"}, {OUT=>"1 2\na b\n"}],
+
+   # Specifying a delimiter with a trailing backslash would overrun a
+   # malloc'd buffer.
+   ['delim-bs1', q!-d'\'!, {IN=>{'a'x50=>''}}, {EXIT => 1},
+    # We print a single backslash into the expected output, so need four
+    # (two, each escaped) here.
+    {ERR => $msg . q!\\\\! . "\n"} ],
+
+   # Prior to coreutils-5.1.2, this sort of abuse would make paste
+   # scribble on command-line arguments.  With paste from coreutils-5.1.0,
+   # this example would mangle the first file name argument, if it contains
+   # accepted backslash-escapes:
+   # $ paste -d\\ '123\b\b\b.....@' 2>&1 |cat -A
+   # paste: 23^H^H^H.....@...@: No such file or directory$
+   ['delim-bs2', q!-d'\'!, {IN=>{'123\b\b\b.....@'=>''}}, {EXIT => 1},
+    {ERR => $msg . q!\\\\! . "\n"} ],
   );
 
 my $save_temps = $ENV{DEBUG};
 my $verbose = $ENV{VERBOSE};
 
-my $prog = $ENV{PROG} || die "$0: \$PROG not specified in environment\n";
 my $fail = run_tests ($program_name, $prog, \@Tests, $save_temps, $verbose);
 exit $fail;
 EOF