From b58a8b4ef588ec8a365b920d12e27fdd71aa48d1 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@redhat.com>
Date: Thu, 27 Mar 2008 12:18:25 +0100
Subject: paste -d\\: avoid heap overrun for backslash at end of delim list

* src/paste.c: Include "quotearg.h".
(collapse_escapes): Handle backslash-escaped backslash explicitly.
Handle unescaped backslash at end of string by returning nonzero,
rather than by overrunning memory.
(main): Diagnose an invalid delimiter list -- carefully.
Reported by Cristian Cadar, Daniel Dunbar and Dawson Engler.
* tests/misc/paste-no-nl (delim-bs): Add a test to demonstrate the
heap-smashing capability.
(delim-bs2): Prior to coreutils-5.1.2, this bug was a little harder
to demonstrate: it would corrupt a first-argument containing e.g., \b
* NEWS: Mention the bug fix.
* tests/misc/Makefile.am (TESTS): Reflect renaming.
* tests/misc/paste: Rename from paste-no-nl.

Signed-off-by: Jim Meyering <meyering@redhat.com>
---
 src/paste.c | 34 ++++++++++++++++++++++++++++++----
 1 file changed, 30 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/paste.c b/src/paste.c
index 3cb84cf5e..20d695333 100644
--- a/src/paste.c
+++ b/src/paste.c
@@ -1,5 +1,5 @@
 /* paste - merge lines of files
-   Copyright (C) 1997-2005 Free Software Foundation, Inc.
+   Copyright (C) 1997-2005, 2008 Free Software Foundation, Inc.
    Copyright (C) 1984 David M. Ihnat
 
    This program is free software: you can redistribute it and/or modify
@@ -42,6 +42,7 @@
 #include <sys/types.h>
 #include "system.h"
 #include "error.h"
+#include "quotearg.h"
 
 /* The official name of this program (e.g., no `g' prefix).  */
 #define PROGRAM_NAME "paste"
@@ -79,12 +80,17 @@ static struct option const longopts[] =
 /* Set globals delims and delim_end.  Copy STRPTR to DELIMS, converting
    backslash representations of special characters in STRPTR to their actual
    values. The set of possible backslash characters has been expanded beyond
-   that recognized by the Unix version.  */
+   that recognized by the Unix version.
+   Return 0 upon success.
+   If the string ends in an odd number of backslashes, ignore the
+   final backslash and return nonzero.  */
 
-static void
+static int
 collapse_escapes (char const *strptr)
 {
   char *strout = xstrdup (strptr);
+  bool backslash_at_end = false;
+
   delims = strout;
 
   while (*strptr)
@@ -123,6 +129,14 @@ collapse_escapes (char const *strptr)
 	      *strout++ = '\v';
 	      break;
 
+	    case '\\':
+	      *strout++ = '\\';
+	      break;
+
+	    case '\0':
+	      backslash_at_end = true;
+	      goto done;
+
 	    default:
 	      *strout++ = *strptr;
 	      break;
@@ -130,7 +144,11 @@ collapse_escapes (char const *strptr)
 	  strptr++;
 	}
     }
+
+ done:;
+
   delim_end = strout;
+  return backslash_at_end ? 1 : 0;
 }
 
 /* Report a write error and exit.  */
@@ -481,7 +499,15 @@ main (int argc, char **argv)
   if (optind == argc)
     argv[argc++] = "-";
 
-  collapse_escapes (delim_arg);
+  if (collapse_escapes (delim_arg))
+    {
+      /* Don't use the default quoting style, because that would double the
+	 number of displayed backslashes, making the diagnostic look bogus.  */
+      set_quoting_style (NULL, escape_quoting_style);
+      error (EXIT_FAILURE, 0,
+	     _("delimiter list ends with an unescaped backslash: %s"),
+	     quotearg_colon (delim_arg));
+    }
 
   if (!serial_merge)
     ok = paste_parallel (argc - optind, &argv[optind]);
-- 
cgit v1.2.3-70-g09d2