Subject: bin/26363: script(1) core dumps when run made to playback a session recorded without the -r flag.
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <firstname.lastname@example.org>
Date: 07/19/2004 08:42:23
>Synopsis: script(1) core dumps when run made to playback a session recorded without the -r flag.
>Arrival-Date: Mon Jul 19 11:07:00 UTC 2004
>Originator: Kailash Sethuraman
>Release: NetBSD 2.0_BETA
NetBSD harold 2.0_BETA NetBSD 2.0_BETA (GENERIC_LAPTOP) #0: Sat Jun 12 11:59:40 SGT 2004 root@kasba:/usr/src/nbsd/obj/usr/src/nbsd/src/sys/arch/i386/compile/GENERIC_LAPTOP i386
$ ident /usr/bin/script
$NetBSD: crt0.c,v 1.13 2003/07/26 19:24:27 salo Exp $
$NetBSD: script.c,v 1.9 2003/08/07 11:15:48 agc Exp $
/usr/bin/script can be run to record sessions in the terminal and play them back.When sessions are recorded with the -r. script -p can be used on the output to play it back in real time. However when script -p is used to play back sessions NOT recorded with "script -r" but with just "script", it segmentation faults. This is because of inadequate checking performed to see if the stamp data in the input file is sane.
The following sequence causes a core dump.
script has to log enough data larger than the stamp structure to cause a
seg fault, therefore, the following commands cause a segmentation fault.
enter any large directory like /dev ,
script -p ~/typescript
The following patch does some error checking on the stamp data
read and bails if its not sane.
--- script.c.orig 2004-07-19 14:02:46.000000000 +0000
+++ script.c 2004-07-19 17:37:46.000000000 +0000
@@ -331,6 +331,13 @@
err(1, "reading playback header");
+ if((stamp.scr_direction != 's' &&
+ stamp.scr_direction!= 'e' &&
+ stamp.scr_direction!= 'i' &&
+ stamp.scr_direction!= 'o')||
+ (stamp.scr_len > BUFSIZ ))
+ err(EXIT_FAILURE,"invalid stamp input");
l = fread(buf, 1, stamp.scr_len, fscript);
clock = stamp.scr_sec;
tso.tv_sec = stamp.scr_sec;