From jwd@unx.sas.com  Thu Dec  3 22:07:43 1998
Received: from lamb.sas.com (lamb.sas.com [192.35.83.8])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA24590
          for <FreeBSD-gnats-submit@freebsd.org>; Thu, 3 Dec 1998 22:07:42 -0800 (PST)
          (envelope-from jwd@unx.sas.com)
Received: from mozart (mozart.unx.sas.com [192.58.184.8])
	by lamb.sas.com (8.9.1/8.9.1) with SMTP id BAA05079
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 4 Dec 1998 01:07:26 -0500 (EST)
Received: from magenta.pc.sas.com by mozart (5.65c/SAS/Domains/5-6-90)
	id AA22446; Fri, 4 Dec 1998 01:07:26 -0500
Received: (from jwd@localhost)
	by magenta.pc.sas.com (8.9.1/8.9.1) id BAA03786;
	Fri, 4 Dec 1998 01:09:20 -0500 (EST)
	(envelope-from jwd)
Message-Id: <199812040609.BAA03786@magenta.pc.sas.com>
Date: Fri, 4 Dec 1998 01:09:20 -0500 (EST)
From: jwd@unx.sas.com
Reply-To: jwd@unx.sas.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: bug in /bin/pax -s option processing
X-Send-Pr-Version: 3.2

>Number:         8958
>Category:       bin
>Synopsis:       bug in /bin/pax -s option processing
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec  3 22:10:00 PST 1998
>Closed-Date:    Sat Dec 5 21:47:30 PST 1998
>Last-Modified:  Sat Dec  5 21:49:37 PST 1998
>Originator:     John W. DeBoskey
>Release:        FreeBSD 3.0-19981124-SNAP i386
>Organization:
SAS Institute
>Environment:

    Typical FreeBSD installation.

>Description:

/bin/pax -s processing assumes pattern match/replacements will always
occur at offset zero. When a pattern match does not occur at offset zero,
then the input source string pointer is incremented too far. Thus,
output replacement strings are corrupt.

User level data is damaged.

>How-To-Repeat:

Create the following symlink in /tmp:
ln -s /usr/src/bin/pax/pax.c pax.c
pax.c -> /usr/src/bin/pax/pax.c

Copy the symlink to /var/tmp and change src to src2
pax -rw -v -pp -s /src/src2/ pax.c /var/tmp

Inspect the copied link:
pax.c -> /usr/src2pax/pax.c

Note the missing path sep char.

>Fix:
	
--- /usr/src/bin/pax/pat_rep.c.old      Fri May 15 02:27:44 1998
+++ /usr/src/bin/pax/pat_rep.c  Fri Dec  4 00:11:44 1998
@@ -1002,7 +1002,7 @@
 #                      ifdef NET2_REGEX
                        inpt = pt->rcmp->endp[0];
 #                      else
-                       inpt += pm[0].rm_eo;
+                       inpt += pm[0].rm_eo - pm[0].rm_so;
 #                      endif
 
                        if ((outpt == endpt) || (*inpt == '\0'))


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: obrien 
State-Changed-When: Sat Dec 5 21:47:30 PST 1998 
State-Changed-Why:  
commiited 
>Unformatted:
