[Toybox] Two bugs in tail toy

[Rob Landley]

On 10/28/14 14:54, luckboy at vp.pl wrote:
> W dniu 28.10.2014 o 01:22, Rob Landley pisze:
>> On 10/27/14 05:21, luckboy at vp.pl wrote:
>>> I again write mail to you because I found two bugs in tail toy and wrote
>>> about these bugs to you and you didn't reply me.
>> Sorry, a little overwhelmed with todo item backlog. (And spent the whole
>> weekend working on sed...)
> I understand it.
>>> These bugs:
>>> First bug is that tail added random character to stdout end when it read
>>> from stdin.
>> It's a little non-obvious from staring at it which change fixes which
>> bug, and I got distracted actually testing the result because in commit
>> 1523 (back on the 14th) I broke loopfiles subtly (the test for "are we
>> in read only mode" was confused by O_CLOEXEC so it was using stdout
>> instead of stdin, which broke simple stuff like _cat_ and I didn't
>> notice for a bit. My bad. I'd wondered why aboriginal stopped building
>> but hadn't had time to track it down this weekend due to banging on sed.)
>>
>>> Second bug is segmentation fault for 'tail -c 10' for big data from
>>> stdin.
>> Indeed, a use after free error looks like. Good catch, thanks.
>>
>> That part I understand. It's the added random character I'm not seeing,
>> and I don't understand what the orig_len change is doing?
...
> I found perfect way to reproduce this bug:
> 
> seq 1 4096 | ./toybox tail
> 
> Exemplary output:
> 
> 4087
> 4088
> 4089
> 4090
> 4091
> 4092
> 4093
> 4094
> 4095
> 4096
> 8
> 
> Last character is printed without new line.

$ ./toybox seq 1 4096 | ./toybox tail | ./toybox od -t x1
0000000 34 30 38 37 0a 34 30 38 38 0a 34 30 38 39 0a 34
0000020 30 39 30 0a 34 30 39 31 0a 34 30 39 32 0a 34 30
0000040 39 33 0a 34 30 39 34 0a 34 30 39 35 0a 34 30 39
0000060 36 0a
0000062

I'm still not seeing it. That's make defconfig against a clean checkout.

What build environment are you using?

Rob

 1414533046.0