Subject: bin/28589: out-of-bounds memory access in patch(1)
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <itojun@itojun.org>
List: netbsd-bugs
Date: 12/09/2004 04:00:00
>Number: 28589
>Category: bin
>Synopsis: out-of-bounds memory access in patch(1)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Dec 09 04:00:00 +0000 2004
>Originator: Jun-ichiro itojun Hagino
>Release: NetBSD 2.99.10
>Organization:
itojun.org
>Environment:
System: NetBSD starfruit.itojun.org 2.99.10 NetBSD 2.99.10 (STARFRUIT) #40: Tue Nov 16 15:41:58 JST 2004 itojun@starfruit.itojun.org:/home/itojun/NetBSD/src/sys/arch/i386/compile/STARFRUIT i386
Architecture: i386
Machine: i386
>Description:
usr.bin/patch/patch.c:get_some_switches() has code fragment which
could lead to out-of-bounds access.
culprit is "opt = *++s;".
% ident /usr/bin/patch
/usr/bin/patch:
$NetBSD: crt0.c,v 1.13 2003/07/26 19:24:27 salo Exp $
$NetBSD: patch.c,v 1.21 2004/08/14 12:53:35 cube Exp $
$NetBSD: pch.c,v 1.19 2003/07/30 08:51:04 itojun Exp $
$NetBSD: inp.c,v 1.17 2003/07/30 08:51:04 itojun Exp $
$NetBSD: version.c,v 1.6 2003/07/12 13:47:44 itojun Exp $
$NetBSD: util.c,v 1.20 2004/10/30 21:52:09 dsl Exp $
$NetBSD: backupfile.c,v 1.13 2003/07/30 08:51:04 itojun Exp $
>How-To-Repeat:
>Fix:
dunno. is the following fragment sufficient?
if (*s)
opt = *++s;
else
opt = *s;