From nobody@FreeBSD.org  Thu Aug 13 00:32:36 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B845210656C2
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 13 Aug 2009 00:32:36 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id A6F598FC52
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 13 Aug 2009 00:32:36 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n7D0Waqr014954
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 13 Aug 2009 00:32:36 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n7D0WauU014953;
	Thu, 13 Aug 2009 00:32:36 GMT
	(envelope-from nobody)
Message-Id: <200908130032.n7D0WauU014953@www.freebsd.org>
Date: Thu, 13 Aug 2009 00:32:36 GMT
From: "deeptech71@gmail.com" <deeptech71@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: -CURRENT ee(1) segfaults when seeking to an out-of-bound line number
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         137707
>Category:       bin
>Synopsis:       -CURRENT ee(1) segfaults when seeking to an out-of-bound line number
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    delphij
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 13 00:40:08 UTC 2009
>Closed-Date:    Mon Dec 14 22:39:32 UTC 2009
>Last-Modified:  Mon Dec 14 22:40:02 UTC 2009
>Originator:     deeptech71@gmail.com
>Release:        -CURRENT
>Organization:
>Environment:
FreeBSD  8.0-BETA2 FreeBSD 8.0-BETA2 #0 r196086M: Sat Aug  8 17:46:05 UTC 2009     devhc@:/usr/obj/usr/src/sys/HQ  i386
>Description:
ee(1) segfaults when the cursor is on line 1, and a command is given to jump to line number 0, or the cursor is on the last line and a command is given to jump to a higher line number (it does not segfault when the cursor is on an "inner" line).

Tested some binaries on the released ISOs as well:
8.0-BETA2 also has this issue,
7.1-RELEASE does NOT have this issue.
>How-To-Repeat:
1. run ee
2. press CTRL+C
3. type any integer other than 1
>Fix:


>Release-Note:
>Audit-Trail:

From: Fredrik Lindberg <fli@shapeshifter.se>
To: bug-followup@FreeBSD.org, deeptech71@gmail.com
Cc: hugh.mahon@cwx.net
Subject: Re: bin/137707: -CURRENT ee(1) segfaults when seeking to an out-of-bound
 line number
Date: Thu, 13 Aug 2009 11:50:42 +0200

 This is a multi-part message in MIME format.
 --------------060704070207090201020407
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 
 The version of ee.c in contrib/ee initialize char *direction to NULL,
 the value of this pointer is then calculated depending on if the
 cursor should move up and down. Without any next lines, the pointer
 is never initialized before fed to strcmp() which segfaults on
 the NULL pointer.
 
 This bug is only triggered if the cursor is at the last line and
 one attempts to move down.
 
 To minimize the changes of the contrib source it's easiest to
 just initialize direction to "d", this should have no impact
 as the pointer is changed when possible and moving "down" 0 lines
 has no effect.
 
 CCed the upstream author as the sources in the tree (1.5.0)
 looks identical in this aspect.
 
 Hugh, any particular reason direction isn't just a char? I might
 be missing something but it seems it's only used with lines containing
 one character only.
 
 Fredrik
 
 Program received signal SIGSEGV, Segmentation fault.
 0x281a4ec8 in strcmp () from /lib/libc.so.7
 
 #1  0x0804cda6 in goto_line (cmd_str=0x28217102 "2")
      at /usr/home/fli/work/freebsd/src/usr.bin/ee/../../contrib/ee/ee.c:2027
 2027			if (!strcmp(direction, "d"))
 (gdb) print direction
 $1 = 0x0
 (gdb) print number
 $4 = 2
 (gdb) print t_line->line_number
 $5 = 1
 (gdb) print t_line->next_line
 $6 = (struct text *) 0x0
 
 
 --------------060704070207090201020407
 Content-Type: text/plain;
  name="ee.c-patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="ee.c-patch"
 
 Index: ee.c
 ===================================================================
 --- ee.c	(revision 196171)
 +++ ee.c	(working copy)
 @@ -1993,7 +1993,7 @@
  	int number;
  	int i;
  	char *ptr;
 -	char *direction = NULL;
 +	char *direction = "d"; 
  	struct text *t_line;
  
  	ptr = cmd_str;
 
 --------------060704070207090201020407--

From: Alexander Best <alexbestms@wwu.de>
To: <bug-followup@FreeBSD.org>,
 <deeptech71@gmail.com>
Cc:  
Subject: Re: bin/137707: -CURRENT ee(1) segfaults when seeking to an
 out-of-bound line number
Date: Tue, 10 Nov 2009 02:01:51 +0100 (CET)

 patch has been committed to HEAD by delphij@ (r199123).
 
 needs to be mfc'ed to 8-stable and maybe 8.0 (if re@ approves). afaic 7-stable
 and 6-stable still run ee 1.4.x. originator reports that the problem doesn't
 exist in the ee 1.4 branch.
 
 please mark pr patched.
 
 thanks.
 alex
State-Changed-From-To: open->patched 
State-Changed-By: delphij 
State-Changed-When: Tue Nov 10 01:16:15 UTC 2009 
State-Changed-Why:  
A patch has been committed against -HEAD to address this issue. 

The current plan is to MFC the change to 8-STABLE next week, but 
probably not 8.0-RELEASE since we are already late with the release. 


Responsible-Changed-From-To: freebsd-bugs->delphij 
Responsible-Changed-By: delphij 
Responsible-Changed-When: Tue Nov 10 01:16:15 UTC 2009 
Responsible-Changed-Why:  
Take since I have committed the change. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=137707 
State-Changed-From-To: patched->closed 
State-Changed-By: delphij 
State-Changed-When: Mon Dec 14 22:38:58 UTC 2009 
State-Changed-Why:  
Patch has been applied against 8-STABLE.  This is not applicable 
for 7.x so I think this ticket can be closed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=137707 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/137707: commit references a PR
Date: Mon, 14 Dec 2009 22:39:10 +0000 (UTC)

 Author: delphij
 Date: Mon Dec 14 22:38:51 2009
 New Revision: 200556
 URL: http://svn.freebsd.org/changeset/base/200556
 
 Log:
   MFC r199123:
   
   Add a minimal change to prevent NULL deference in ee(1).
   
   To repeat the problem, one can press "Ctrl+C" and then enter "0".
   
   Submitted by:   Alexander Best <alexbestms wwu de>
   PR:		bin/137707
 
 Modified:
   stable/8/contrib/ee/ee.c
 Directory Properties:
   stable/8/contrib/ee/   (props changed)
 
 Modified: stable/8/contrib/ee/ee.c
 ==============================================================================
 --- stable/8/contrib/ee/ee.c	Mon Dec 14 22:30:07 2009	(r200555)
 +++ stable/8/contrib/ee/ee.c	Mon Dec 14 22:38:51 2009	(r200556)
 @@ -1993,7 +1993,7 @@ char *cmd_str;
  	int number;
  	int i;
  	char *ptr;
 -	char *direction = NULL;
 +	char *direction = "d";
  	struct text *t_line;
  
  	ptr = cmd_str;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
