From eugen@D00015.dialonly.kemerovo.su  Sat Mar 23 09:12:50 2002
Return-Path: <eugen@D00015.dialonly.kemerovo.su>
Received: from D00015.dialonly.kemerovo.su (www2.svzserv.kemerovo.su [213.184.65.86])
	by hub.freebsd.org (Postfix) with ESMTP id 62DC837B419
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 23 Mar 2002 09:12:46 -0800 (PST)
Received: (from eugen@localhost)
	by D00015.dialonly.kemerovo.su (8.11.6/8.11.6) id g2NHCSg80753
	for freebsd-gnats-submit@FreeBSD.org; Sun, 24 Mar 2002 00:12:28 +0700 (KRAT)
	(envelope-from eugen)
Message-Id: <20020324001228.A80717@grosbein.pp.ru>
Date: Sun, 24 Mar 2002 00:12:28 +0700
From: Eugene Grosbein <eugen@grosbein.pp.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Re: newly instroduced builtin 'test' of /bin/sh sometimes makes SIGSEGV

>Number:         36235
>Category:       bin
>Synopsis:       Re: newly instroduced builtin 'test' of /bin/sh sometimes makes SIGSEGV
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Mar 23 09:20:01 PST 2002
>Closed-Date:    Mon Mar 25 16:54:04 PST 2002
>Last-Modified:  Wed Oct 26 05:04:50 GMT 2005
>Originator:     
>Release:        
>Organization:
>Environment:
>Description:
 It seems to me now there is a bug in bltin/test.c (or it is called
 incorrectly). Here we have such scenario: main() of test.c is
 called with argv[]= { "test", NULL }, then there is 0xa08003d after NULL (0x0)
 in memory. It is frame 4. So *&argv[1] is NULL, t_lex() returns EOI (0)
 and oexpr() is called for 0. oexpr(0) call aexpr(0) that calls nexpr(0)
 that returns primary(0) that equals to 0. Then aexpr() does this (line 229):
 
         if (t_lex(*++t_wp) == BAND)
 
 One can see, t_wp has been initialized to &argv[1] at the line 188 so
 it points to the end of argv. So this increment of t_wp produces illegal
 value pointing to 0xa08003d. Then t_lex() has been called for wrong value
 and bombed. One should devinitely review this code and add some kind
 of bounds checking code.
 
 Eugene Grosbein
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: keramida 
State-Changed-When: Mon Mar 25 16:53:16 PST 2002 
State-Changed-Why:  
Misfiled followup to PR bin/36232. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=36235 
>Unformatted:
