csplit: avoid buffer overrun when writing more than 999 files

Without this fix, seq 1000 | csplit - /./ '{*}' would write
the NUL-terminated file name, xx1000, into a buffer of size 6.
* src/csplit.c (main): Use properly sized file name buffer.
* NEWS (Bug fixes): Mention it.
* tests/misc/csplit-1000: New test to trigger the bug.
* tests/Makefile.am (TESTS): Add misc/csplit-1000.

diff --git a/NEWS b/NEWS
index 0cd6153..89ae5d6 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,10 @@ GNU coreutils NEWS                                    -*- outline -*-
   latent bug introduced in coreutils 8.1, and possibly a second latent
   bug going at least as far back as coreutils 5.97]
 
+  csplit no longer corrupts heap when writing more than 999 files.
+  Demonstrate with: seq 1000 | csplit - /./ '{*}'
+  [the bug was present in the initial implementation]
+
   tail -F once again notices changes in a currently unavailable
   remote directory [bug introduced in coreutils-7.5]
 

diff --git a/src/csplit.c b/src/csplit.c
index 40baba8..57543f0 100644 (file)
--- a/src/csplit.c
+++ b/src/csplit.c
@@ -1372,10 +1372,11 @@ main (int argc, char **argv)
       usage (EXIT_FAILURE);
     }
 
-  if (suffix)
-    filename_space = xmalloc (strlen (prefix) + max_out (suffix) + 2);
-  else
-    filename_space = xmalloc (strlen (prefix) + digits + 2);
+  unsigned int max_digit_string_len
+    = (suffix
+       ? max_out (suffix)
+       : MAX (INT_STRLEN_BOUND (unsigned int), digits));
+  filename_space = xmalloc (strlen (prefix) + max_digit_string_len + 1);
 
   set_input_file (argv[optind++]);
 

diff --git a/tests/Makefile.am b/tests/Makefile.am
index dd1c509..a3a30b6 100644 (file)
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -172,6 +172,7 @@ TESTS =                                             \
   misc/chroot-fail                             \
   misc/comm                                    \
   misc/csplit                                  \
+  misc/csplit-1000                             \
   misc/date-sec                                        \
   misc/dircolors                               \
   misc/df                                      \

diff --git a/tests/misc/csplit-1000 b/tests/misc/csplit-1000
new file mode 100755 (executable)
index 0000000..accbe46
--- /dev/null
+++ b/tests/misc/csplit-1000
@@ -0,0 +1,29 @@
+#!/bin/sh
+# various csplit tests
+
+# Copyright (C) 2010 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. "${srcdir=.}/init.sh"; path_prepend_ ../src
+test "$VERBOSE" = yes && FIXME --version
+
+# Before coreutils-8.7, this would overrun the 6-byte filename_space buffer.
+# It's hard to detect that without using valgrind, so here, we simply
+# run the demonstrator.
+seq 1000 | csplit - '/./' '{*}' || fail=1
+test -f xx1000 || fail=1
+test -f xx1001 && fail=1
+
+Exit $fail