On Wed, Nov 18, 2015 at 12:53:16AM +0100, Markus Teich wrote: > Joerg Jung wrote: > > Here comes another one... > > > > As mentioned in this thread: > > http://marc.info/?t=144772469400002&r=1&w=2 in this mail: > > http://marc.info/?l=oss-security&m=144774881126397&w=2 > > > > 'sent empty' with empty being a 0-length file will produce a memory > > access error. On OpenBSD with malloc.conf -> J it happily dereferences a > > 0xd0d0d0d0d0d0d0 pointer since there is not such input as line[0] if the > > file is empty. > > > > Same for a file with blank lines. > > I cannot reproduce both of these bugs with current HEAD. I get the usage > message > as it is expected due to the following two lines in main(): > > if (!slides || !slides[0].lines) > usage();
Have you compiled sent with address sanitizer as suggested in the link, or enabled the malloc.conf J option on OpenBSD, as mentioned above? > Maybe you or they are running an old version? Nope. > Please try the latest one. Issue is still present in git head, see below. $ uname -rs OpenBSD 5.8 $ touch foo $ ./sent foo sent 0.2 (c) 2014-2015 markus.te...@stusta.mhn.de usage: sent FILE1 [FILE2 ...] $ export MALLOC_OPTIONS="J" $ ./sent foo Bus error (core dumped) $ gdb -q ./sent (gdb) run foo Starting program: /home/yogi/dls/sent/sent foo Program received signal SIGBUS, Bus error. 0x00000b0a0b303b81 in xdraw () at sent.c:335 335 curw = drw_fontset_getwidth(d, s->lines[i]); (gdb) bt #0 0x00000b0a0b303b81 in xdraw () at sent.c:335 #1 0x00000b0a0b304a38 in main (argc=1, argv=Variable "argv" is not available. ) at sent.c:510 (gdb) quit The program is running. Exit anyway? (y or n) y $ echo "" >> foo2 $ echo "" >> foo2 $ gdb -q ./sent (gdb) run foo2 Starting program: /home/yogi/dls/sent/sent foo2 Program received signal SIGBUS, Bus error. 0x00001c855e203b81 in xdraw () at sent.c:335 335 curw = drw_fontset_getwidth(d, s->lines[i]); (gdb) bt #0 0x00001c855e203b81 in xdraw () at sent.c:335 #1 0x00001c855e204a38 in main (argc=1, argv=Variable "argv" is not available. ) at sent.c:510 (gdb) quit The program is running. Exit anyway? (y or n) y
