Re: fold -b1 segmentation fault

[Bret S. Lambert]

On Thu, Oct 21, 2010 at 05:57:24PM +0100, Jason McIntyre wrote:
> in case anyone's interested, and as reported in a recent freebsd pr:
> 
>       $ fold -b1
>       Segmentation fault (core dumped)
> 
> no fix is provided.
> 
> jmc
> 
> >Number:         151592
> >Category:       misc
> >Synopsis:       'fold' segfaults on argument processing
> >Confidential:   no
> >Severity:       non-critical
> >Priority:       low
> >Responsible:    freebsd-bugs
> >State:          open
> >Quarter:        
> >Keywords:       
> >Date-Required:
> >Class:          sw-bug
> >Submitter-Id:   current-users
> >Arrival-Date:   Wed Oct 20 03:50:08 UTC 2010
> >Closed-Date:
> >Last-Modified:
> >Originator:     Marcus Reid
> >Release:        8.1-STABLE
> >Organization:
> >Environment:
> FreeBSD austin.sea.netifice.com 8.1-STABLE FreeBSD 8.1-STABLE #0:
> Mon Sep 20 23:53:47 PDT 2010
> r...@austin.sea.netifice.com:/usr/obj/usr/src/sys/FARK  amd64
> >Description:
> The 'fold' utility reads past the end of a buffer if arguments are
> incorrectly specified.  If you pass an argument to '-b' that happens
> to be in the character set "0123456789", line 101 reads past the
> end of argv[optind] and causes a segmentation fault.
> >How-To-Repeat:
> Simply run 'fold -b1'
> >Fix:
> I don't really see what the author is intending to do in that case
> statement where it breaks.
> 
> >Release-Note:
> >Audit-Trail:
> >Unformatted:
> 

Fix appears to be to let getopt handle it, since allowing 0-9 as an
argument is not documented:


Index: fold.c
===================================================================
RCS file: /cvs/src/usr.bin/fold/fold.c,v
retrieving revision 1.12
diff -u -p -r1.12 fold.c
--- fold.c      27 Oct 2009 23:59:38 -0000      1.12
+++ fold.c      21 Oct 2010 17:26:24 -0000
@@ -57,7 +57,7 @@ main(int argc, char *argv[])
        const char *errstr;
 
        width = -1;
-       while ((ch = getopt(argc, argv, "0123456789bsw:")) != -1)
+       while ((ch = getopt(argc, argv, "bsw:")) != -1)
                switch (ch) {
                case 'b':
                        count_bytes = 1;
@@ -70,21 +70,6 @@ main(int argc, char *argv[])
                        if (errstr != NULL)
                                errx(1, "illegal width value, %s: %s", errstr, 
                                        optarg);
-                       break;
-               case '0': case '1': case '2': case '3': case '4':
-               case '5': case '6': case '7': case '8': case '9':
-                       if (width == -1) {
-                               p = argv[optind - 1];
-                               if (p[0] == '-' && p[1] == ch && !p[2])
-                                       w = ++p;
-                               else
-                                       w = argv[optind] + 1;
-
-                               width = strtonum(w, 1, INT_MAX, &errstr);
-                               if (errstr != NULL)
-                                       errx(1, "illegal width value, %s: %s", 
-                                               errstr, optarg);
-                       }
                        break;
                default:
                        (void)fprintf(stderr,