sed bug report - Segfault on L command with long address

Discussion:

(too old to reply)

Jodie Cunningham

2014-12-09 23:26:49 UTC

To reproduce, run:
sed 'L222222' <<<d

These do not segfault:
sed 'L22222' <<<d
sed 'L2222222222222222222222222' <<<d

I do not have any expected behavior for this as it was just found by
the fuzzer American Fuzzy Lop (lcamtuf.coredump.cx/afl/) .

Test machine:
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty

sed:
Installed: 4.2.2-4ubuntu1
Candidate: 4.2.2-4ubuntu1
Version table:
*** 4.2.2-4ubuntu1 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status

$ sed --version
sed (GNU sed) 4.2.2

Tracked downstream at Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/sed/+bug/1400575

Thank you,
-Jodie Cunningham

Jim Meyering

2014-12-10 17:25:41 UTC

Permalink

On Tue, Dec 9, 2014 at 3:26 PM, Jodie Cunningham

Post by Jodie Cunningham
sed 'L222222' <<<d
sed 'L22222' <<<d
sed 'L2222222222222222222222222' <<<d
I do not have any expected behavior for this as it was just found by
the fuzzer American Fuzzy Lop (lcamtuf.coredump.cx/afl/) .
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
Installed: 4.2.2-4ubuntu1
Candidate: 4.2.2-4ubuntu1
*** 4.2.2-4ubuntu1 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
$ sed --version
sed (GNU sed) 4.2.2
https://bugs.launchpad.net/ubuntu/+source/sed/+bug/1400575

Thank you for that report.
I confirm it can still be triggered with the latest from git,
though with that, I had to add another "2" digit to your
reproducer.

Since the "L" command is GNU-sed-specific, and
documented to be a failed experiment (copying fmt.c
from coreutils' src/fmt.c back in 2002), I am strongly
inclined simply to remove that code, and have already
written the patch, just to see how much work it would
take. I haven't yet written the NEWS entry.

Here's its description from "info sed":

'L N'
This GNU 'sed' extension fills and joins lines in pattern space to
produce output lines of (at most) N characters, like 'fmt' does; if
N is omitted, the default as specified on the command line is used.
This command is considered a failed experiment and unless there is
enough request (which seems unlikely) will be removed in future
versions.

At worst, I'll change it to emit a deprecation warning
upon first use of "L" for the next release, and remove
support altogether in the following one.

Does anyone know of distro-provided scripts
that rely on GNU sed's "L" command?

Paolo Bonzini

2014-12-10 17:30:46 UTC

Permalink

Post by Jim Meyering
Thank you for that report.
I confirm it can still be triggered with the latest from git,
though with that, I had to add another "2" digit to your
reproducer.
Since the "L" command is GNU-sed-specific, and
documented to be a failed experiment (copying fmt.c
from coreutils' src/fmt.c back in 2002), I am strongly
inclined simply to remove that code, and have already
written the patch, just to see how much work it would
take. I haven't yet written the NEWS entry.
'L N'
This GNU 'sed' extension fills and joins lines in pattern space to
produce output lines of (at most) N characters, like 'fmt' does; if
N is omitted, the default as specified on the command line is used.
This command is considered a failed experiment and unless there is
enough request (which seems unlikely) will be removed in future
versions.
At worst, I'll change it to emit a deprecation warning
upon first use of "L" for the next release, and remove
support altogether in the following one.
Does anyone know of distro-provided scripts
that rely on GNU sed's "L" command?

Just kill it...

Paolo