paste -d'\' file

Version:

coreutils-6.10 (fixed in 6.11)

How to reproduce the failure?

Simply use paste -d ’\’

Symptom:

Hang (buffer overflow).

In version 6.10, when execute paste -d ‘\’, the program simply hang a while, with CPU usage 100%.

The correct behavior should be to reject the input ‘\’ --- it is an illegal delimiter.

Root cause:

Infinite loop caused by an uncaught ‘case’ in ‘switch’ statement.

the root cause is because the switch statement missed a ‘case’. There is no case branch in switch statement to handle ‘\0’. Once the error falls-through to default, it simply increment the pointer. Since this switch statement is within a loop, this will result in an infinite loop, causing buffer overflow, and with unpredictable result.

paste.c

collapse_escapes (char const *strptr) {

 while (*strptr) { // infinite loop, where it hang!

         if (*strptr != '\\') /* Is it an escape character? */

           *strout++ = *strptr++; /* No, just transfer it. */

         else  {

        switch (*++strptr) {

            case '0':

                *strout++ = EMPTY_DELIM;

                break;

            case 'b':

              *strout++ = '\b';

              break;

            .. .. ..

+         case '\0':

+                 backslash_at_end = true;

+                 goto done;

            default:

           /* We should log here!! */

                *strout++ = *strptr;

                break;

            } // switch

         strptr++;

      } // else

  } // while

+ done:;

+  delim_end = strout;

+  return backslash_at_end ? 1 : 0;

}

Can Errlog insert an error message?

Yes. ‘default’ case in ‘switch’ statement.

If we print such an error message, it would be sufficient to diagnose the failure.