Re: [dev] [sent] 0.1 release

From: Joerg Jung <mail_AT_umaxx.net>
Date: Wed, 18 Nov 2015 21:48:11 +0100

On Wed, Nov 18, 2015 at 12:53:16AM +0100, Markus Teich wrote:
> Joerg Jung wrote:
> > Here comes another one...
> >
> > As mentioned in this thread:
> > http://marc.info/?t=144772469400002&r=1&w=2 in this mail:
> > http://marc.info/?l=oss-security&m=144774881126397&w=2
> >
> > 'sent empty' with empty being a 0-length file will produce a memory
> > access error. On OpenBSD with malloc.conf -> J it happily dereferences a
> > 0xd0d0d0d0d0d0d0 pointer since there is not such input as line[0] if the
> > file is empty.
> >
> > Same for a file with blank lines.
>
> I cannot reproduce both of these bugs with current HEAD. I get the usage message
> as it is expected due to the following two lines in main():
>
> if (!slides || !slides[0].lines)
> usage();

Have you compiled sent with address sanitizer as suggested in the
link, or enabled the malloc.conf J option on OpenBSD,
as mentioned above?

> Maybe you or they are running an old version?

Nope.

> Please try the latest one.

Issue is still present in git head, see below.

$ uname -rs
OpenBSD 5.8

$ touch foo

$ ./sent foo
sent 0.2 (c) 2014-2015 markus.teich_AT_stusta.mhn.de
usage: sent FILE1 [FILE2 ...]

$ export MALLOC_OPTIONS="J"

$ ./sent foo
Bus error (core dumped)

$ gdb -q ./sent
(gdb) run foo
Starting program: /home/yogi/dls/sent/sent foo

Program received signal SIGBUS, Bus error.
0x00000b0a0b303b81 in xdraw () at sent.c:335
335 curw = drw_fontset_getwidth(d, s->lines[i]);
(gdb) bt
#0 0x00000b0a0b303b81 in xdraw () at sent.c:335
#1 0x00000b0a0b304a38 in main (argc=1, argv=Variable "argv" is not
available.
) at sent.c:510
(gdb) quit
The program is running. Exit anyway? (y or n) y

$ echo "" >> foo2
$ echo "" >> foo2

$ gdb -q ./sent
(gdb) run foo2
Starting program: /home/yogi/dls/sent/sent foo2

Program received signal SIGBUS, Bus error.
0x00001c855e203b81 in xdraw () at sent.c:335
335 curw = drw_fontset_getwidth(d, s->lines[i]);
(gdb) bt
#0 0x00001c855e203b81 in xdraw () at sent.c:335
#1 0x00001c855e204a38 in main (argc=1, argv=Variable "argv" is not
available.
) at sent.c:510
(gdb) quit
The program is running. Exit anyway? (y or n) y
Received on Wed Nov 18 2015 - 21:48:11 CET

This archive was generated by hypermail 2.3.0 : Wed Nov 18 2015 - 22:00:12 CET