From jin@gracie.lbl.gov  Fri Jan 21 11:38:27 2000
Return-Path: <jin@gracie.lbl.gov>
Received: from gracie.lbl.gov (gracie.lbl.gov [131.243.2.175])
	by hub.freebsd.org (Postfix) with ESMTP id 1DFB214E88
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 21 Jan 2000 11:38:27 -0800 (PST)
	(envelope-from jin@gracie.lbl.gov)
Received: (from jin@localhost)
	by gracie.lbl.gov (8.9.3/8.9.3) id LAA70227;
	Fri, 21 Jan 2000 11:38:26 -0800 (PST)
	(envelope-from jin)
Message-Id: <200001211938.LAA70227@gracie.lbl.gov>
Date: Fri, 21 Jan 2000 11:38:26 -0800 (PST)
From: Jin Guojun (FTG staff) <jin@gracie.lbl.gov>
Reply-To: j_guojun@lbl.gov
To: FreeBSD-gnats-submit@freebsd.org
Subject: vi has wrong len type in re_tag_conv()
X-Send-Pr-Version: 3.2

>Number:         16271
>Category:       bin
>Synopsis:       vi has wrong len type in re_tag_conv()
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 21 12:00:02 PST 2000
>Closed-Date:    Sat Jul 21 11:56:05 PDT 2001
>Last-Modified:  Sat Jul 21 11:56:43 PDT 2001
>Originator:     Jin Guojun (FTG staff)
>Release:        FreeBSD 3.4-20000104-STABLE i386
>Organization:
>Environment:

	nvi in FreeBSD 3.4-20000104-STABLE

>Description:

	an unsinged len is used to compare with signed expression,
	this causes core dump because the (len > 0) always true,
	so loop never ends.

>How-To-Repeat:

Look at the code contrib/nvi/ex/ex_subst.c:

...
static int 
re_tag_conv(sp, ptrnp, plenp, replacedp)
        SCR *sp;
        char **ptrnp;
        size_t *plenp;
        int *replacedp; 
{                       
        size_t blen, len; 	!!!!!!!!!!!! line 1180 !!!!!!!!!
        int lastdollar; 
        char *bp, *p, *t;
        
        len = *plenp;  

        /* Max memory usage is 2 times the length of the string. */
        *replacedp = 1;
        GET_SPACE_RET(sp, bp, blen, len * 2);
        
        p = *ptrnp;
        t = bp;
  
        /* If the last character is a '/' or '?', we just strip it. */
        if (len > 0 && (p[len - 1] == '/' || p[len - 1] == '?'))
                --len;
   
        /* If the next-to-last or last character is a '$', it's magic. */
        if (len > 0 && p[len - 1] == '$') {
                --len;
                lastdollar = 1;
        } else 
                lastdollar = 0;
 
        /* If the first character is a '/' or '?', we just strip it. */
        if (len > 0 && (p[0] == '/' || p[0] == '?')) {
                ++p;
                --len;
        }

        /* If the first or second character is a '^', it's magic. */
        if (p[0] == '^') {
                *t++ = *p++;
                --len;
        }

        /*
         * Escape every other magic character we can find, meanwhile stripping
         * the backslashes ctags inserts when escaping the search delimiter
         * characters.
         */
        for (; len > 0; --len) {	!!!!!! line 1221 !!!!!!!!
                if (p[0] == '\\' && (p[1] == '/' || p[1] == '?')) {
                        ++p;
                        --len;
                } else if (strchr("^.[]$*", p[0]))
                        *t++ = '\\';
                *t++ = *p++;
        }
        if (lastdollar)

	

>Fix:
	
	Change the len type from size_t to int, i.e.,
	move len from line 1180 to line 1181.


>Release-Note:
>Audit-Trail:

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: Jin Guojun (FTG staff) <jin@george.lbl.gov>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/16271 
Date: Fri, 31 Mar 2000 12:00:59 +0200

 On Thu, 30 Mar 2000 21:44:22 PST, Jin Guojun wrote:
 
 > This problem also exists in 4.0 release. The patch is very simple,
 > and the concept is clear. Can we fix this problem with apply the
 > following patch?
 
 I don't think so, because that file is on the vendor branch.  This fix
 should be submitted to keith Bostic, nvi's maintainer.  If he agrees
 that the next release of nvi will include this patch exactly, then we
 can probably do some magic.
 
 Ciao,
 Sheldon.
 

From: Jin Guojun (FTG staff) <jin@george.lbl.gov>
To: sheldonh@uunet.co.za
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/16271
Date: Fri, 31 Mar 2000 07:54:39 -0800 (PST)

 > > This problem also exists in 4.0 release. The patch is very simple,
 > > and the concept is clear. Can we fix this problem with apply the
 > > following patch?
 > 
 > I don't think so, because that file is on the vendor branch.  This fix
 > should be submitted to keith Bostic, nvi's maintainer.  If he agrees
 > that the next release of nvi will include this patch exactly, then we
 > can probably do some magic.
 
 Then, how can I contact keith Bostic?
 Has he been notified for this problem yet?
 
 	-Jin
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: Jin Guojun (FTG staff) <jin@george.lbl.gov>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/16271 
Date: Mon, 03 Apr 2000 12:02:32 +0200

 On Fri, 31 Mar 2000 07:54:39 PST, Jin Guojun wrote:
 
 > > I don't think so, because that file is on the vendor branch.  This fix
 > > should be submitted to keith Bostic, nvi's maintainer.  If he agrees
 > > that the next release of nvi will include this patch exactly, then we
 > > can probably do some magic.
 > 
 > Then, how can I contact keith Bostic?
 
 His e-mail address is bostic@bostic.com .
 
 > Has he been notified for this problem yet?
 
 I don't know.  Best contact him directly.
 
 Ciao,
 Sheldon.
 

From: Steve Price <sprice@hiwaay.net>
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: re: bin/16271 (fwd)
Date: Mon, 17 Apr 2000 11:25:23 -0500 (CDT)

 ---------- Forwarded message ----------
 Date: Thu, 30 Mar 2000 21:44:22 -0800 (PST)
 From: Jin Guojun <jin@george.lbl.gov>
 To: freebsd-bugs@FreeBSD.ORG
 Subject: re: bin/16271
 
 This problem also exists in 4.0 release. The patch is very simple,
 and the concept is clear. Can we fix this problem with apply the
 following patch?
 
 Thanks,
 
 	-Jin
 
 } Description
 } 
 }              an unsinged len is used to compare with signed expression,
 }              this causes core dump because the (len > 0) always true,
 }              so loop never ends.
 } 
 
 patch:
 
 *** contrib/nvi/ex/ex_subst.c	Thu Oct 31 22:45:30 1996
 --- /tmp/ex_subst.c.new	Thu Mar 30 21:35:24 2000
 ***************
 *** 1177,1183 ****
   	size_t *plenp;
   	int *replacedp;
   {
 ! 	size_t blen, len;
   	int lastdollar;
   	char *bp, *p, *t;
   
 --- 1177,1184 ----
   	size_t *plenp;
   	int *replacedp;
   {
 ! 	size_t blen;
 ! 	int len;
   	int lastdollar;
   	char *bp, *p, *t;
   
 
 
 To Unsubscribe: send mail to majordomo@FreeBSD.org
 with "unsubscribe freebsd-bugs" in the body of the message
 
 
State-Changed-From-To: open->closed 
State-Changed-By: mike 
State-Changed-When: Sat Jul 21 11:56:05 PDT 2001 
State-Changed-Why:  

Originator was adviced to contact vendor; nvi, in this case. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=16271 
>Unformatted:
