From mmead@neon.Glock.COM  Sun Apr 21 22:03:15 1996
Received: from neon.Glock.COM (neon.glock.com [198.82.228.159])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id WAA09894
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 21 Apr 1996 22:03:14 -0700 (PDT)
Received: (from mmead@localhost) by neon.Glock.COM (8.7.5/8.7.3) id BAA01235; Mon, 22 Apr 1996 01:03:08 -0400 (EDT)
Message-Id: <199604220503.BAA01235@neon.Glock.COM>
Date: Mon, 22 Apr 1996 01:03:08 -0400 (EDT)
From: mmead@Glock.COM
Reply-To: mmead@Glock.COM
To: FreeBSD-gnats-submit@freebsd.org
Subject: fmt segfaults
X-Send-Pr-Version: 3.2

>Number:         1153
>Category:       bin
>Synopsis:       fmt segfaults when it receives an empty line of input
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Apr 21 22:10:00 PDT 1996
>Closed-Date:    Mon Apr 22 11:37:35 PDT 1996
>Last-Modified:  Mon Apr 22 11:40:17 PDT 1996
>Originator:     matthew c. mead
>Release:        FreeBSD neon.Glock.COM 2.2-CURRENT FreeBSD 2.2-CURRENT #0: Sat Apr 20 18:54:24 EDT 1996     mmead@neon.Glock.COM:/home/src/sys/compile/NEON  i386
>Organization:
Glock Telecommunications
>Environment:

	As far as I can tell, it happens no matter what the
environment in your shell is, no matter what user you are, etc.

>Description:

	When accepting input for formatting, fmt gets a
segmentation fault when it attempts to process an empty line of
text.  The problem is at line 175 of /usr/src/usr.bin/fmt/fmt.c,
and occurs because on an empty line of text, no space is
allocated to linebuf, which the assignment *cp = '\0'
dereferences.  This is the first of such problems, and
(cp == NULL) checks need to be implemented.

>How-To-Repeat:

echo "" | fmt

>Fix:
	
	I've hacked on /usr/src/usr.bin/fmt/fmt.c and think I've
got the problem all figured out and fixed.  Here's a patch.  I've
tested it fairly thoroughly, but someone else might want to go
through it.

--- /usr/src/usr.bin/fmt/fmt.c-dist	Mon Apr 22 00:43:43 1996
+++ /usr/src/usr.bin/fmt/fmt.c	Mon Apr 22 00:53:41 1996
@@ -172,7 +172,9 @@
 			*cp++ = c;
 			c = getc(fi);
 		}
-		*cp = '\0';
+		if (cp != NULL) {
+			*cp = '\0';
+		}
 
 		/*
 		 * Toss anything remaining on the input line.
@@ -186,7 +188,7 @@
 		col = 0;
 		cp = linebuf;
 		cp2 = canonb;
-		while (cc = *cp++) {
+		while ((cp != NULL) && (cc = *cp++)) {
 			if (cc != '\t') {
 				col++;
 				if (cp2 - canonb >= cbufsize) {
@@ -217,12 +219,16 @@
 		/*
 		 * Swipe trailing blanks from the line.
 		 */
-		for (cp2--; cp2 >= canonb && *cp2 == ' '; cp2--)
-			;
-		*++cp2 = '\0';
-		prefix(canonb);
-		if (c != EOF)
+		if (cp != NULL) {
+			for (cp2--; cp2 >= canonb && *cp2 == ' '; cp2--)
+				;
+			*++cp2 = '\0';
+			prefix(canonb);
+			if (c != EOF)
+				c = getc(fi);
+		} else {
 			c = getc(fi);
+		}
 	}
 }
 
>Release-Note:
>Audit-Trail:

From: "matthew c. mead" <mmead@Glock.COM>
To: mmead@Glock.COM
Cc: FreeBSD-gnats-submit@freebsd.org, bugs@freebsd.org
Subject: Re: bin/1153: fmt segfaults
Date: Mon, 22 Apr 1996 08:44:51 -0400 (EDT)

 	The patch in the previous report would not work fully.  I
 failed to test it on blank lines preceeding a the first line with
 text.  The patch I sent in will cause blank lines preceeding the
 first line with text to be eaten.  This patch corrects this
 behavior.  This patch is against the *original*
 /usr/src/usr.bin/fmt/fmt.c, *not* the one obtained after using my
 first patch.
 
 
 --- /usr/src/usr.bin/fmt/fmt.c-dist	Mon Apr 22 00:43:43 1996
 +++ /usr/src/usr.bin/fmt/fmt.c	Mon Apr 22 08:40:06 1996
 @@ -172,7 +172,9 @@
  			*cp++ = c;
  			c = getc(fi);
  		}
 -		*cp = '\0';
 +		if (cp != NULL) {
 +			*cp = '\0';
 +		}
  
  		/*
  		 * Toss anything remaining on the input line.
 @@ -186,7 +188,7 @@
  		col = 0;
  		cp = linebuf;
  		cp2 = canonb;
 -		while (cc = *cp++) {
 +		while ((cp != NULL) && (cc = *cp++)) {
  			if (cc != '\t') {
  				col++;
  				if (cp2 - canonb >= cbufsize) {
 @@ -217,12 +219,17 @@
  		/*
  		 * Swipe trailing blanks from the line.
  		 */
 -		for (cp2--; cp2 >= canonb && *cp2 == ' '; cp2--)
 -			;
 -		*++cp2 = '\0';
 -		prefix(canonb);
 -		if (c != EOF)
 +		if (cp != NULL) {
 +			for (cp2--; cp2 >= canonb && *cp2 == ' '; cp2--)
 +				;
 +			*++cp2 = '\0';
 +			prefix(canonb);
 +			if (c != EOF)
 +				c = getc(fi);
 +		} else {
 +			putchar('\n');
  			c = getc(fi);
 +		}
  	}
  }
  
 
 -matt
 
 -- 
 Matthew C. Mead
 
 mmead@Glock.COM
 http://www.Glock.COM/~mmead/

From: David Greenman <davidg@Root.COM>
To: mmead@Glock.COM
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/1153: fmt segfaults 
Date: Sun, 28 Apr 1996 15:50:29 -0700

 >	I've hacked on /usr/src/usr.bin/fmt/fmt.c and think I've
 >got the problem all figured out and fixed.  Here's a patch.  I've
 >tested it fairly thoroughly, but someone else might want to go
 >through it.
 >
 >--- /usr/src/usr.bin/fmt/fmt.c-dist	Mon Apr 22 00:43:43 1996
 >+++ /usr/src/usr.bin/fmt/fmt.c	Mon Apr 22 00:53:41 1996
 >@@ -172,7 +172,9 @@
 > 			*cp++ = c;
 > 			c = getc(fi);
 > 		}
 >-		*cp = '\0';
 >+		if (cp != NULL) {
 >+			*cp = '\0';
 >+		}
 ...
 > 		cp = linebuf;
 > 		cp2 = canonb;
 >-		while (cc = *cp++) {
 >+		while ((cp != NULL) && (cc = *cp++)) {
 ...
 
    I don't get it. How can "cp" be NULL? It's assigned to "linebuf" which is
 allocated off the stack:
 
         char linebuf[BUFSIZ], canonb[BUFSIZ];
 
    ...linebuf can never be NULL.
 
 -DG
 
 David Greenman
 Core-team/Principal Architect, The FreeBSD Project

From: "matthew c. mead" <mmead@Glock.COM>
To: davidg@Root.COM
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/1153: fmt segfaults
Date: Mon, 22 Apr 1996 12:54:09 -0400 (EDT)

 David Greenman writes:
 
 >    I don't get it. How can "cp" be NULL? It's assigned to "linebuf" which is
 > allocated off the stack:
 
 >         char linebuf[BUFSIZ], canonb[BUFSIZ];
 
 >    ...linebuf can never be NULL.
 
 	Could you be looking at the source for the 2.1 version of
 fmt?  The one in -current has been rewritten to use a
 reallocating buffer for linebuf.
 
 
 
 -matt
 
 -- 
 Matthew C. Mead
 
 mmead@Glock.COM
 http://www.Glock.COM/~mmead/

From: David Greenman <davidg@Root.COM>
To: "matthew c. mead" <mmead@Glock.COM>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/1153: fmt segfaults 
Date: Sun, 28 Apr 1996 16:24:24 -0700

 >David Greenman writes:
 >
 >>    I don't get it. How can "cp" be NULL? It's assigned to "linebuf" which is
 >> allocated off the stack:
 >
 >>         char linebuf[BUFSIZ], canonb[BUFSIZ];
 >
 >>    ...linebuf can never be NULL.
 >
 >	Could you be looking at the source for the 2.1 version of
 >fmt?  The one in -current has been rewritten to use a
 >reallocating buffer for linebuf.
 
    Oh! Sorry about that, yes, I was assuming 2.1-stable. Nevermind. :-)
 
 -DG
 
 David Greenman
 Core-team/Principal Architect, The FreeBSD Project
State-Changed-From-To: open->closed 
State-Changed-By: smpatel 
State-Changed-When: Mon Apr 22 11:37:35 PDT 1996 
State-Changed-Why:  
Fixed in version 1.6 of fmt.c 
A variation of this patch has been applied. 
>Unformatted:
