From f190fa91a32e59b482e47239e0d4b146fa7a9832 Mon Sep 17 00:00:00 2001 From: millert Date: Wed, 21 Sep 2022 01:42:58 +0000 Subject: [PATCH] Update awk to Sep 12, 2022 version. Fix undefined behavior and a use-after-free in cat(). --- usr.bin/awk/FIXES | 5 +++++ usr.bin/awk/main.c | 4 ++-- usr.bin/awk/run.c | 7 ++++--- usr.bin/awk/tran.c | 5 ++--- 4 files changed, 13 insertions(+), 8 deletions(-) diff --git a/usr.bin/awk/FIXES b/usr.bin/awk/FIXES index ec76a4ee1b8..fdf782e6295 100644 --- a/usr.bin/awk/FIXES +++ b/usr.bin/awk/FIXES @@ -25,6 +25,11 @@ THIS SOFTWARE. This file lists all bug fixes, changes, etc., made since the AWK book was sent to the printers in August 1987. +Sep 12, 2022: + adjbuf minlen error (cannot be 0) in cat, resulting in NULL pbuf. + discovered by todd miller. also use-after-free issue with + tempfree in cat, thanks to Miguel Pineiro Jr and valgrind. + Aug 30, 2022: Various leaks and use-after-free issues plugged/fixed. Thanks to Miguel Pineiro Jr. . diff --git a/usr.bin/awk/main.c b/usr.bin/awk/main.c index 6edec091924..4b057660c1f 100644 --- a/usr.bin/awk/main.c +++ b/usr.bin/awk/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.55 2022/09/01 15:21:28 millert Exp $ */ +/* $OpenBSD: main.c,v 1.56 2022/09/21 01:42:58 millert Exp $ */ /**************************************************************** Copyright (C) Lucent Technologies 1997 All Rights Reserved @@ -23,7 +23,7 @@ ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ****************************************************************/ -const char *version = "version 20220830"; +const char *version = "version 20220912"; #define DEBUG #include diff --git a/usr.bin/awk/run.c b/usr.bin/awk/run.c index 055159584c4..5d87b43e8e6 100644 --- a/usr.bin/awk/run.c +++ b/usr.bin/awk/run.c @@ -1,4 +1,4 @@ -/* $OpenBSD: run.c,v 1.73 2022/09/01 15:21:28 millert Exp $ */ +/* $OpenBSD: run.c,v 1.74 2022/09/21 01:42:59 millert Exp $ */ /**************************************************************** Copyright (C) Lucent Technologies 1997 All Rights Reserved @@ -1198,16 +1198,17 @@ Cell *cat(Node **a, int q) /* a[0] cat a[1] */ x = execute(a[0]); n1 = strlen(getsval(x)); - adjbuf(&s, &ssz, n1, recsize, 0, "cat1"); + adjbuf(&s, &ssz, n1 + 1, recsize, 0, "cat1"); memcpy(s, x->sval, n1); + tempfree(x); + y = execute(a[1]); n2 = strlen(getsval(y)); adjbuf(&s, &ssz, n1 + n2 + 1, recsize, 0, "cat2"); memcpy(s + n1, y->sval, n2); s[n1 + n2] = '\0'; - tempfree(x); tempfree(y); z = gettemp(); diff --git a/usr.bin/awk/tran.c b/usr.bin/awk/tran.c index 6e8b159022c..0e4802ecbf9 100644 --- a/usr.bin/awk/tran.c +++ b/usr.bin/awk/tran.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tran.c,v 1.35 2022/06/03 19:46:09 millert Exp $ */ +/* $OpenBSD: tran.c,v 1.36 2022/09/21 01:42:59 millert Exp $ */ /**************************************************************** Copyright (C) Lucent Technologies 1997 All Rights Reserved @@ -566,7 +566,6 @@ Cell *catstr(Cell *a, Cell *b) /* concatenate a and b */ char *qstring(const char *is, int delim) /* collect string up to next delim */ { - const char *os = is; int c, n; const uschar *s = (const uschar *) is; uschar *buf, *bp; @@ -575,7 +574,7 @@ char *qstring(const char *is, int delim) /* collect string up to next delim */ FATAL( "out of space in qstring(%s)", s); for (bp = buf; (c = *s) != delim; s++) { if (c == '\n') - SYNTAX( "newline in string %.20s...", os ); + SYNTAX( "newline in string %.20s...", is ); else if (c != '\\') *bp++ = c; else { /* \something */ -- 2.20.1