From mi@xxx.video-collage.com  Wed Jun 24 16:09:46 1998
Received: from www.video-collage.com (www.video-collage.com [206.15.171.132])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA23231
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 24 Jun 1998 16:09:43 -0700 (PDT)
          (envelope-from mi@xxx.video-collage.com)
Received: from xxx.video-collage.com (xxx.video-collage.com [199.232.254.68])
	by www.video-collage.com (8.8.5/8.8.5) with ESMTP id TAA26554
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 24 Jun 1998 19:07:00 -0400 (EDT)
Received: (from mi@localhost)
	by xxx.video-collage.com (8.8.8/8.8.7) id TAA09928;
	Wed, 24 Jun 1998 19:09:24 -0400 (EDT)
	(envelope-from mi)
Message-Id: <199806242309.TAA09928@xxx.video-collage.com>
Date: Wed, 24 Jun 1998 19:09:24 -0400 (EDT)
From: Mikhail Teterin <mi@video-collage.com>
Reply-To: mi@aldan.algebra.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: sh dumps core on this script
X-Send-Pr-Version: 3.2

>Number:         7059
>Category:       bin
>Synopsis:       sh dumps core on this script
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 24 16:10:01 PDT 1998
>Closed-Date:    Wed Jun 28 03:22:04 PDT 2000
>Last-Modified:  Wed Jun 28 03:24:04 PDT 2000
>Originator:     Mikhail Teterin
>Release:        FreeBSD 2.2.6-BETA i386
>Organization:
Video Collage, Inc.
>Environment:

	QUERY_STRING=First_Name=Mikhail&Last_Name=Teterin&Phone=617-332-0552&Fax=&Email=mi%40aldan.algebra.com&Company=%26ls&Division=&Title=&Company_Size=less+than+25&Address=&City=&State=&Postal_Code=&Country=&Reference=Softimage+Website&Intended_Use=&Number_Users=single&Programming=Yes&B2=Submit&QQQLINKQQQ=./dura
	<------ start of mail.cgi script --------------->
#!/bin/sh

SETTINGS_DIR=`eval basename \`basename $0\``

# Do the mailing.
EMAILS_TXT=$SETTINGS_DIR/e-mails.txt

# If the file with addresses exist --
# use it. Otherwise, use hardcoded address.
if [ -r $EMAILS_TXT ]
then
	EMAILS=`egrep -v ^# $EMAILS_TXT`
else
	EMAILS=mi
fi

(env ; cat) | mail -s $0 $EMAILS

# Output the ThankYou text:
# First, look for the hidden field:
for pair in `echo ${QUERY_STRING} | sed 's/&/ /g'` ; do
	_TY_FILE=${pair#QQQLINKQQQ=}
	if [ $_TY_FILE != $pair ]
	then
		_TY_FILE=${DOCUMENT_ROOT}${_TY_FILE}
		test -r ${_TY_FILE} || \
			logger "${_TY_FILE} does not exist or is not readable"
		break
	fi
done

TY_FILE=${_TY_FILE:-$SETTINGS_DIR/ThankYou.html}

# This will tell the user's browser it will receive HTML
cat << BEGIN_HTML
Content-Type: text/html

BEGIN_HTML

# If the custom ThankYou.html exists -- output it,
# otherwise, output the build-in default message:
if [ -r $TY_FILE ]
then
	cat $TY_FILE
else
	cat << EO_TY
<HTML>
<HEAD>
<TITLE>Thank you</TITLE>
</HEAD>
<BODY>
<H1>Thank you for contacting us.</H1>
The information you submitted was forwarded for
processing.
<HR>
<img SRC="/vclogo.gif" ALT="Video Collage" ALIGN="RIGHT" WIDTH="182" HEIGHT="146
>Description:

	When the script is ran (with or without -x) it dies with seg-fault.
	This happens after processing the Email-part of QUERY_STRING . It
	started happending after I added the line with logger to it, although
	I can not see a relation. The script's checksum is
		473ad5b1e55577acf5ff70190e270894
	After rebuilding sh for debugging I find:

	0xc667 in popstackmark (mark=0xefbfd690) at memalloc.c:188
	188                     stackp = sp->prev;
	(gdb) p sp
	$1 = (struct stack_block *) 0x0

	My memalloc.c is
		$Id: memalloc.c,v 1.4.2.1 1997/08/25 09:10:08 jkh Exp $

>How-To-Repeat:

	setenv QUERY_STRING as set above
	sh -x ./mail.cgi

>Fix:
	
	Don't know... Do not want to use bash for this, although it works
	with no problems...
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->suspended 
State-Changed-By: phk 
State-Changed-When: Wed Jul 1 01:10:39 PDT 1998 
State-Changed-Why:  
awaiting fix & committer 

From: Martin Cracauer <cracauer@cons.org>
To: freebsd-gnats-submit@freebsd.org, mi@aldan.algebra.com
Cc:  
Subject: Re: bin/7059: sh dumps core on this script
Date: Mon, 12 Apr 1999 18:22:40 +0200

 I tangled with this problem, but it looks like a serious memory
 corruption, the variable stack is being damaged.  I just committed a
 fix for the stack problem that prints a more meaningful error message,
 but that's all for now.
 
 Appended are three variations of one simple script, where the last one
 fails for me, while the others do not. This happens on 2.2-stable,
 3.1-stable and 4.0-current on machines from 486 to PII-450. As you can
 see, the variations are of a kind that surely shouldn't change
 anything real.
 
 Maybe someone with Purify or similar can run the last of these scripts
 with an instance of /bin/sh compiled on that machine? I'm happy to
 send you a binary for Solaris or whatever you run Purify on (bet the
 coredump doesn't happen on SPARC, but it's worth a try).
 
 Martin
 
 # This is a shell archive.  Save it in a file, remove anything before
 # this line, and then unpack it by entering "sh file".  Note, it may
 # create directories; files and directories will be owned by you and
 # have default permissions.
 #
 # This archive contains:
 #
 #	test3a
 #	test3b
 #	test3c
 #
 echo x - test3a
 sed 's/^X//' >test3a << 'END-of-test3a'
 X#! /bin/sh
 X
 X# The coredump happens with the last entry of this string
 X# It doesn't happen when you shorten the string even when leaving the
 X# offending last entry intact.
 Xexport QUERY_STRING='First_Name=Mikhail&Last_Name=Teterin&Phone=617-332-0552&Fax=&Email=mi%40aldan.algebra.com&Company=%26ls&Division=&Title=&Company_Size=less+than+25&Address=&City=&State=&Postal_Code=&Country=&Reference=Softimage+Website&Intended_Use=&Number_Users=single&Programming=Yes&B2=Submit&QQQLINKQQQ=./dura'
 X
 X# somewhere before memalloc.c, line 190, variable stackp is set to NULL
 X# definitivly a timing problem.
 X
 Xfor pair in `echo ${QUERY_STRING} | sed 's/&/ /g'` ; do
 X	_TY_FILE=${pair#QQQLINKQQQ=}
 X	if [ $_TY_FILE != $pair ]
 X	then
 X# If you activate the following echo's, it will work in my machine
 X# Looks like a timing problem...
 X#		echo check 1 1>&1
 X		_TY_FILE2=${DOCUMENT_ROOT}${_TY_FILE}
 X#		echo check 2 1>&1
 X
 X# The following works when used without the next
 X		test -f '/e' || echo bla 1>&2
 X# This one doesn't
 X#		test -f '/e' \
 X#		    || echo bla 1>&2
 X		break
 X	fi
 Xdone
 END-of-test3a
 echo x - test3b
 sed 's/^X//' >test3b << 'END-of-test3b'
 X#! /bin/sh
 X
 X# The coredump happens with the last entry of this string
 X# It doesn't happen when you shorten the string even when leaving the
 X# offending last entry intact.
 Xexport QUERY_STRING='First_Name=Mikhail&Last_Name=Teterin&Phone=617-332-0552&Fax=&Email=mi%40aldan.algebra.com&Company=%26ls&Division=&Title=&Company_Size=less+than+25&Address=&City=&State=&Postal_Code=&Country=&Reference=Softimage+Website&Intended_Use=&Number_Users=single&Programming=Yes&B2=Submit&QQQLINKQQQ=./dura'
 X
 X# somewhere before memalloc.c, line 190, variable stackp is set to NULL
 X# definitivly a timing problem.
 X
 Xfor pair in `echo ${QUERY_STRING} | sed 's/&/ /g'` ; do
 X	_TY_FILE=${pair#QQQLINKQQQ=}
 X	if [ $_TY_FILE != $pair ]
 X	then
 X# If you activate the following echo's, it will work in my machine
 X# Looks like a timing problem...
 X		echo check 1 1>&1
 X		_TY_FILE2=${DOCUMENT_ROOT}${_TY_FILE}
 X		echo check 2 1>&1
 X
 X# The following works when used without the next
 X		test -f '/e' || echo bla 1>&2
 X# This one doesn't
 X		test -f '/e' \
 X		    || echo bla 1>&2
 X		break
 X	fi
 Xdone
 END-of-test3b
 echo x - test3c
 sed 's/^X//' >test3c << 'END-of-test3c'
 X#! /bin/sh
 X
 X# The coredump happens with the last entry of this string
 X# It doesn't happen when you shorten the string even when leaving the
 X# offending last entry intact.
 Xexport QUERY_STRING='First_Name=Mikhail&Last_Name=Teterin&Phone=617-332-0552&Fax=&Email=mi%40aldan.algebra.com&Company=%26ls&Division=&Title=&Company_Size=less+than+25&Address=&City=&State=&Postal_Code=&Country=&Reference=Softimage+Website&Intended_Use=&Number_Users=single&Programming=Yes&B2=Submit&QQQLINKQQQ=./dura'
 X
 X# somewhere before memalloc.c, line 190, variable stackp is set to NULL
 X# definitivly a timing problem.
 X
 Xfor pair in `echo ${QUERY_STRING} | sed 's/&/ /g'` ; do
 X	_TY_FILE=${pair#QQQLINKQQQ=}
 X	if [ $_TY_FILE != $pair ]
 X	then
 X# If you activate the following echo's, it will work in my machine
 X# Looks like a timing problem...
 X#		echo check 1 1>&1
 X		_TY_FILE2=${DOCUMENT_ROOT}${_TY_FILE}
 X#		echo check 2 1>&1
 X
 X# The following works when used without the next
 X		test -f '/e' || echo bla 1>&2
 X# This one doesn't
 X		test -f '/e' \
 X		    || echo bla 1>&2
 X		break
 X	fi
 Xdone
 END-of-test3c
 exit
 
 -- 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 Martin Cracauer <cracauer@cons.org> http://www.cons.org/cracauer/
 BSD User Group Hamburg, Germany     http://www.bsdhh.org/
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: Martin Cracauer <cracauer@cons.org>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/7059: sh dumps core on this script
Date: Mon, 24 May 1999 10:31:34 +0200

 Hi Martin,
 
 I tried the script that you reported cored sh(1) in PR7059 and can't get
 sh(1) to core with it. Is it possible that your mucking about with sh(1)
 a while back fixed this one, or has the problem just shuffled around a
 bit?
 
 Ciao,
 Sheldon.
 
State-Changed-From-To: suspended->feedback 
State-Changed-By: nbm 
State-Changed-When: Mon Jun 26 01:57:16 PDT 2000 
State-Changed-Why:  
sheldonh enquired as to whether this PR still applies, and is awaiting 
feedback. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=7059 
State-Changed-From-To: feedback->closed 
State-Changed-By: nbm 
State-Changed-When: Wed Jun 28 03:22:04 PDT 2000 
State-Changed-Why:  
Originator confirms the problem doesn't manifest itself in 4.x, and my 
own testing shows that it doesn't do so in 3.4. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=7059 
>Unformatted:
 ">
 </BODY>
 </HTML>
 EO_TY
 fi
 	<----------- End of mail.cgi ------------->
 
