From nobody@FreeBSD.org  Sat Jan 30 17:22:06 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 20C3010656A7
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 30 Jan 2010 17:22:06 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id E54B18FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 30 Jan 2010 17:22:05 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o0UHM5U8073143
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 30 Jan 2010 17:22:05 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o0UHM5AS073142;
	Sat, 30 Jan 2010 17:22:05 GMT
	(envelope-from nobody)
Message-Id: <201001301722.o0UHM5AS073142@www.freebsd.org>
Date: Sat, 30 Jan 2010 17:22:05 GMT
From: Mikolaj Golub <to.my.trociny@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] awk(1) trashes memory with regexp and ^ anchor
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         143375
>Category:       bin
>Synopsis:       [patch] awk(1) trashes memory with regexp and ^ anchor
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 30 17:30:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Mikolaj Golub
>Release:        8.0-STABLE, 7.2-STABLE
>Organization:
>Environment:
FreeBSD zhuzha.ua1 8.0-STABLE FreeBSD 8.0-STABLE #6: Sun Jan 24 21:36:17 EET 2010     root@zhuzha.ua1:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
This problem with awk(1) regexp and ^ anchor trashing memory was reported to NetBSD by Nicolas Joly and it was fixed there.

http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=40689

This script trashes the memory:

awk '/^root:/' /etc/passwd
>How-To-Repeat:
zhuzha:/usr/src/contrib/one-true-awk% CFLAGS=-g make

zhuzha:/usr/src/contrib/one-true-awk% gdb a.out
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
(gdb) b b.c:927
Breakpoint 1 at 0x804e15b: file b.c, line 927.
(gdb) run '/^root:/' /etc/passwd
Starting program: /usr/src/contrib/one-true-awk/a.out '/^root:/' /etc/passwd

Breakpoint 1, cgoto (f=0x28239000, s=2, c=261) at b.c:927
927             f->gototab[s][c] = f->curstat;
(gdb) pt f->gototab
type = unsigned char [32][259]
(gdb) p c
$1 = 261
(gdb) 
(gdb) list b.c:927
922             xfree(f->posns[f->curstat]);
923             if ((p = (int *) calloc(1, (setcnt+1)*sizeof(int))) == NULL)
924                     overflo("out of space in cgoto");
925
926             f->posns[f->curstat] = p;
927             f->gototab[s][c] = f->curstat;
928             for (i = 0; i <= setcnt; i++)
929                     p[i] = tmpset[i];
930             if (setvec[f->accept])
931                     f->out[f->curstat] = 1;

>Fix:
See the attached patch adopted from NetBSD (PR/40689: Nicolas Joly: awk(1) trashes memory with RE and ^ anchor. Another place to special-case HAT.).

Patch attached with submission follows:

--- contrib/one-true-awk.orig/b.c	2007-06-05 18:33:51.000000000 +0300
+++ contrib/one-true-awk/b.c	2010-01-30 19:19:22.000000000 +0200
@@ -924,7 +924,8 @@
 		overflo("out of space in cgoto");
 
 	f->posns[f->curstat] = p;
-	f->gototab[s][c] = f->curstat;
+	if (c != HAT)
+		f->gototab[s][c] = f->curstat;
 	for (i = 0; i <= setcnt; i++)
 		p[i] = tmpset[i];
 	if (setvec[f->accept])


>Release-Note:
>Audit-Trail:
>Unformatted:
