From cgull@smoke.marlboro.vt.us  Fri Dec  1 00:46:08 1995
Received: from smoke.marlboro.vt.us (smoke.marlboro.vt.us [198.206.215.91])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id AAA16883
          for <FreeBSD-gnats-submit@freebsd.org>; Fri, 1 Dec 1995 00:45:49 -0800
Received: (from cgull@localhost) by smoke.marlboro.vt.us (8.6.*cough-wheeze*/8.6.9) id DAA04115; Fri, 1 Dec 1995 03:44:48 -0500
Message-Id: <199512010844.DAA04115@smoke.marlboro.vt.us>
Date: Fri, 1 Dec 1995 03:44:48 -0500
From: john hood <cgull@smoke.marlboro.vt.us>
Reply-To: cgull@smoke.marlboro.vt.us
To: FreeBSD-gnats-submit@freebsd.org
Subject: sh dumps core on uninitialized memory in editline
X-Send-Pr-Version: 3.2

>Number:         858
>Category:       bin
>Synopsis:       sh dumps core on uninitialized memory in editline
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec  1 00:50:03 PST 1995
>Closed-Date:    Sat Dec 2 01:44:36 PST 1995
>Last-Modified:  Sat Dec  2 01:46:02 PST 1995
>Originator:     john hood
>Release:        FreeBSD 2.0-BUILT-19950603 i386
>Organization:
>Environment:

standard binary distribution of freebsd 2.0.5.  bug also verified with
freebsd 2.1 boot and fixit floppies.

>Description:

editline will dereference an uninitialized pointer under certain
circumstances.  the memory pointer in question only gets stomped by
certain malloc/free usage patterns, though, so this is apparently not
a common problem.

>How-To-Repeat:

------------------------------8<------------------------------
#!/bin/sh
DIR=/tmp

cd $DIR

cat > .profile <<\Bonk
#!/bin/sh
set -x
# 57 slashes ok, 58 kills something
//////////////////////////////////////////////////////////
set -o ignoreeof
set -o emacs  # sh core dumps on this command
echo "Made it!"
Bonk

ln -s /bin/sh ./-sh

HOME=$DIR

PATH=.:$PATH

-sh
------------------------------8<------------------------------


>Fix:
	
*** /usr/src/lib/libedit/term.c	Tue May 30 01:43:15 1995
--- term.c	Wed Nov 29 17:03:20 1995
***************
*** 310,315 ****
--- 310,316 ----
      el->el_term.t_buf = (char *)  el_malloc(TC_BUFSIZE);
      el->el_term.t_cap = (char *)  el_malloc(TC_BUFSIZE);
      el->el_term.t_fkey = (fkey_t *) el_malloc(4 * sizeof(fkey_t));
+     (void) memset(el->el_term.t_fkey, 0, 4 * sizeof(fkey_t));
      el->el_term.t_loc = 0;
      el->el_term.t_str = (char **) el_malloc(T_str * sizeof(char*));
      (void) memset(el->el_term.t_str, 0, T_str * sizeof(char*));


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: peter 
State-Changed-When: Sat Dec 2 01:44:36 PST 1995 
State-Changed-Why:  
Suggested fix applied in rev 1.7 of libedit/term.c 
>Unformatted:
