From 0cfd4f2161de5e942cbd7c273d03a90c1dfd2062 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Wed, 10 Nov 2010 13:53:38 +0100 Subject: csplit: avoid buffer overrun when writing more than 999 files Without this fix, seq 1000 | csplit - /./ '{*}' would write the NUL-terminated file name, xx1000, into a buffer of size 6. * src/csplit.c (main): Use properly sized file name buffer. * NEWS (Bug fixes): Mention it. * tests/misc/csplit-1000: New test to trigger the bug. * tests/Makefile.am (TESTS): Add misc/csplit-1000. --- NEWS | 4 ++++ src/csplit.c | 9 +++++---- tests/Makefile.am | 1 + tests/misc/csplit-1000 | 29 +++++++++++++++++++++++++++++ 4 files changed, 39 insertions(+), 4 deletions(-) create mode 100755 tests/misc/csplit-1000 diff --git a/NEWS b/NEWS index 0cd615332..89ae5d679 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,10 @@ GNU coreutils NEWS -*- outline -*- latent bug introduced in coreutils 8.1, and possibly a second latent bug going at least as far back as coreutils 5.97] + csplit no longer corrupts heap when writing more than 999 files. + Demonstrate with: seq 1000 | csplit - /./ '{*}' + [the bug was present in the initial implementation] + tail -F once again notices changes in a currently unavailable remote directory [bug introduced in coreutils-7.5] diff --git a/src/csplit.c b/src/csplit.c index 40baba825..57543f0a2 100644 --- a/src/csplit.c +++ b/src/csplit.c @@ -1372,10 +1372,11 @@ main (int argc, char **argv) usage (EXIT_FAILURE); } - if (suffix) - filename_space = xmalloc (strlen (prefix) + max_out (suffix) + 2); - else - filename_space = xmalloc (strlen (prefix) + digits + 2); + unsigned int max_digit_string_len + = (suffix + ? max_out (suffix) + : MAX (INT_STRLEN_BOUND (unsigned int), digits)); + filename_space = xmalloc (strlen (prefix) + max_digit_string_len + 1); set_input_file (argv[optind++]); diff --git a/tests/Makefile.am b/tests/Makefile.am index dd1c509b9..a3a30b6bd 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -172,6 +172,7 @@ TESTS = \ misc/chroot-fail \ misc/comm \ misc/csplit \ + misc/csplit-1000 \ misc/date-sec \ misc/dircolors \ misc/df \ diff --git a/tests/misc/csplit-1000 b/tests/misc/csplit-1000 new file mode 100755 index 000000000..accbe4685 --- /dev/null +++ b/tests/misc/csplit-1000 @@ -0,0 +1,29 @@ +#!/bin/sh +# various csplit tests + +# Copyright (C) 2010 Free Software Foundation, Inc. + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. "${srcdir=.}/init.sh"; path_prepend_ ../src +test "$VERBOSE" = yes && FIXME --version + +# Before coreutils-8.7, this would overrun the 6-byte filename_space buffer. +# It's hard to detect that without using valgrind, so here, we simply +# run the demonstrator. +seq 1000 | csplit - '/./' '{*}' || fail=1 +test -f xx1000 || fail=1 +test -f xx1001 && fail=1 + +Exit $fail -- cgit v1.2.3-54-g00ecf