>Number:         1356
>Category:       bin
>Synopsis:       [dM] join can coredump
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Aug 14 14:20:01 1995
>Last-Modified:
>Originator:     der Mouse
>Organization:
	Dis-
>Release:        -current as of August 11th
>Environment:
	SPARC IPC, but it's machine-independent
>Description:
	join can coredump by calling strcmp() with a nil pointer, if an
	input line contains exactly one field too few for the -j
	option's field to be present.  The problem appears to be that
	cmp() uses < rather than <= when comparing field numbers
	against field counts.  (I conjecture someone forgot which
	numbers were 0-origin and which 1-origin.)
>How-To-Repeat:
	% cat > z.1
	a b
	c d
	^D
	% cat > z.2
	a
	e d
	^D
	% join -j 2 z.1 z.2
	Segmentation fault
>Fix:
	This seems to stop the coredumping, though join still seems to
	misbehave a little; for example, the example above produces no
	output, rather than the "d c e" line that it seems to me it
	should.

*** /sources/working-usr-src/usr.bin/join/join.c	Tue May 30 08:49:41 1995
--- join.c	Mon Aug 14 13:53:36 1995
***************
*** 356,364 ****
  	LINE *lp1, *lp2;
  	u_long fieldno1, fieldno2;
  {
! 	if (lp1->fieldcnt < fieldno1)
  		return (lp2->fieldcnt < fieldno2 ? 0 : 1);
! 	if (lp2->fieldcnt < fieldno2)
  		return (-1);
  	return (strcmp(lp1->fields[fieldno1], lp2->fields[fieldno2]));
  }
--- 356,364 ----
  	LINE *lp1, *lp2;
  	u_long fieldno1, fieldno2;
  {
! 	if (lp1->fieldcnt <= fieldno1)
  		return (lp2->fieldcnt < fieldno2 ? 0 : 1);
! 	if (lp2->fieldcnt <= fieldno2)
  		return (-1);
  	return (strcmp(lp1->fields[fieldno1], lp2->fields[fieldno2]));
  }

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu
>Audit-Trail:
>Unformatted: