From eugen@grosbein.pp.ru  Sat Nov  1 10:11:51 2003
Return-Path: <eugen@grosbein.pp.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BBEF216A4F8
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  1 Nov 2003 10:11:51 -0800 (PST)
Received: from grosbein.pp.ru (D00015.dialonly.kemerovo.su [213.184.66.105])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0454743F3F
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  1 Nov 2003 10:11:34 -0800 (PST)
	(envelope-from eugen@grosbein.pp.ru)
Received: from grosbein.pp.ru (smmsp@localhost [127.0.0.1])
	by grosbein.pp.ru (8.12.9p2/8.12.9) with ESMTP id hA1HqwFG059987
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 2 Nov 2003 00:52:58 +0700 (KRAT)
	(envelope-from eugen@grosbein.pp.ru)
Received: (from eugen@localhost)
	by grosbein.pp.ru (8.12.9p2/8.12.9/Submit) id hA1HktIv059840;
	Sun, 2 Nov 2003 00:46:55 +0700 (KRAT)
	(envelope-from eugen)
Message-Id: <200311011746.hA1HktIv059840@grosbein.pp.ru>
Date: Sun, 2 Nov 2003 00:46:55 +0700 (KRAT)
From: Eugene Grosbein <eugen@grosbein.pp.ru>
Reply-To: Eugene Grosbein <eugen@grosbein.pp.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Incorrect behavour of sed(1)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         58813
>Category:       bin
>Synopsis:       Incorrect behavour of sed(1)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    tjr
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 01 10:20:17 PST 2003
>Closed-Date:    Fri Jan 09 22:31:22 PST 2004
>Last-Modified:  Fri Jan 09 22:31:22 PST 2004
>Originator:     Eugene Grosbein
>Release:        FreeBSD 4.9-STABLE i386
>Organization:
Svyaz Service JSC
>Environment:
System: FreeBSD grosbein.pp.ru 4.9-STABLE FreeBSD 4.9-STABLE #25: Thu Oct 30 23:34:44 KRAT 2003 eu@grosbein.pp.ru:/usr/local/obj/usr/local/src/sys/DADV i386
	CPUTYPE=i686 and no other optimizations

>Description:
		sed(1) can produce incorrect output while processing
		long lines. It can produce false error messages.
		It can even segfault.

>How-To-Repeat:

Example 1.

perl -e 'print "10: "; print "A" x 2030; print "\n" ' | \
	   sed -E 's/^([^:]+):(.*)$/<a href=\1>\1<\/a>:\2/' 2>&1 |hd 

Writes:

00000000  3c 61 20 68 72 65 66 3d  31 30 3e 31 30 3c 2f 61  |<a href=10>10</a|
00000010  3e 3a 20 41 41 41 41 41  41 41 41 41 41 41 41 41  |>: AAAAAAAAAAAAA|
00000020  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
*
00000800  00 0a                                             |..|
00000802

Note zero byte in last line.

Replace 2030 with 4000 and see:

00000000  3c 61 20 68 72 65 66 3d  31 30 3e 31 30 3c 2f 61  |<a href=10>10</a|
00000010  3e 3a 20 41 41 41 41 41  41 41 41 41 41 41 41 41  |>: AAAAAAAAAAAAA|
00000020  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
*
00000800  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000fb0  00 00 00 0a                                       |....|
00000fb4

Now there are lots of zero characters.

Use 4077 instead of 4000 and get segmentation fault.

Example 2.

perl -e 'print "10: A\n20: "; print "A" x 2542; print "\n\n" ' | \
sed -E 's/^([^:]+)\:(.*)$/<a href=\1>\1<\/a>:\2/' >/dev/null

Writes:
sed: RE error: invalid regular expression

That's not true.
 
>Fix:

	Unknown for me.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->tjr 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sat Nov 1 16:57:45 PST 2003 
Responsible-Changed-Why:  
tjr has done a lot of work on sed, perhaps he will be interested 
in fixing this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=58813 

From: Kris Kennaway <kris@obsecurity.org>
To: Eugene Grosbein <eugen@grosbein.pp.ru>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/58813: Incorrect behavour of sed(1)
Date: Sat, 1 Nov 2003 16:57:08 -0800

 On Sun, Nov 02, 2003 at 12:46:55AM +0700, Eugene Grosbein wrote:
 
 > >Description:
 > 		sed(1) can produce incorrect output while processing
 > 		long lines. It can produce false error messages.
 > 		It can even segfault.
 > 
 > >How-To-Repeat:
 > 
 > Example 1.
 > 
 > perl -e 'print "10: "; print "A" x 2030; print "\n" ' | \
 > 	   sed -E 's/^([^:]+):(.*)$/<a href=\1>\1<\/a>:\2/' 2>&1 |hd 
 > 
 > Writes:
 > 
 > 00000000  3c 61 20 68 72 65 66 3d  31 30 3e 31 30 3c 2f 61  |<a href=10>10</a|
 > 00000010  3e 3a 20 41 41 41 41 41  41 41 41 41 41 41 41 41  |>: AAAAAAAAAAAAA|
 > 00000020  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
 > *
 > 00000800  00 0a                                             |..|
 > 00000802
 > 
 > Note zero byte in last line.
 > 
 
 Enabling malloc debugging (MALLOC_OPTIONS=AJ), the null bytes become
 'd0', which is the malloc debugging character, indicating a memory
 managament error.  This bug also exists on 5.x.
 
 Kris
State-Changed-From-To: open->patched 
State-Changed-By: tjr 
State-Changed-When: Sun Nov 2 15:21:23 PST 2003 
State-Changed-Why:  
Fixed in -current, will be MFC'd after 2 weeks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=58813 
State-Changed-From-To: patched->closed 
State-Changed-By: tjr 
State-Changed-When: Fri Jan 9 22:30:55 PST 2004 
State-Changed-Why:  
Fixed in -stable, thanks for the report. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=58813 
>Unformatted: