SegV (using unitialized memory) in hexdump on current.

for example: failed cookie-line from `startx'
dd if=/dev/urandom bs=16 count=1 2>/dev/null | hexdump -e \"%08x\"


Howto repeat:
% uname -srm
NetBSD 4.99.3 i386

% ident `which hexdump`
/usr/bin/hexdump:
     $NetBSD: crt0.c,v 1.16 2006/05/17 17:08:54 christos Exp $
     $NetBSD: conv.c,v 1.12 2006/01/04 01:30:21 perry Exp $
     $NetBSD: display.c,v 1.20 2006/08/26 18:17:42 christos Exp $
     $NetBSD: hexdump.c,v 1.13 2006/01/04 01:30:21 perry Exp $
     $NetBSD: hexsyntax.c,v 1.13 2006/01/04 01:30:21 perry Exp $
     $NetBSD: odsyntax.c,v 1.24 2006/08/26 18:17:42 christos Exp $
     $NetBSD: parse.c,v 1.22 2006/09/23 21:19:34 elad Exp $

% echo test | hexdump -e \"%08x\" || echo :false
zsh: done                              echo test |
zsh: segmentation fault (core dumped)  hexdump -e \"%08x\"
:false

% echo test | MALLOC_OPTIONS=J hexdump -e \"%08x\" || echo :false
zsh: done                              echo test |
zsh: segmentation fault (core dumped)  MALLOC_OPTIONS=J hexdump -e \"%08x\"
:false

% echo test | MALLOC_OPTIONS=Z hexdump -e \"%08x\" && echo true
747365740000000a:true



Problem:
	Using unitialized pr->nextpr in rewrite function
src/usr.bin/hexdump/parse.c:
412			for (pr = fu->nextpr; pr; pr = pr->nextpr)
413				fu->bcnt += pr->bcnt;



Fix (for example):

% diff -up src/usr.bin/hexdump/parse.c.orig src/usr.bin/hexdump/parse.c
--- src/usr.bin/hexdump/parse.c.orig	2006-09-24 00:19:34.000000000 +0300
+++ src/usr.bin/hexdump/parse.c	2006-10-09 13:30:55.000000000 +0300
@@ -228,6 +228,7 @@ rewrite(FS *fs)
 		nextpr = &fu->nextpr;
 		for (nconv = 0, fmtp = fu->fmt; *fmtp; nextpr = &pr->nextpr) {
 			pr = emalloc(sizeof(PR));
+			memset(pr, 0, sizeof(PR));
 			*nextpr = pr;
 
 			/* Skip preceding text and up to the next % sign. */

-- 
Auster Vl.