Wednesday, November 09, 2022

math/ministat segmentation fault

Reported upstream (by me) as
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267684

math/ministat has a silly bug in which the code assumes that "-" will be
specified no more than once at invocation:

$ jot 3 | ministat - -
Segmentation fault (core dumped)

The problem is in the port-patched code at:
643 if (argc > (MAX_DS - 1))
644 usage("Too many datasets.");
645 nds = argc;
646 for (i = 0; i < nds; i++) {
647 setfilenames[i] = argv[i];
648 if (!strcmp(argv[i], "-"))
649 setfiles[0] = stdin;
650 else
651 setfiles[i] = fopen(argv[i], "r");
652 if (setfiles[i] == NULL)
653 err(2, "Cannot open %s", argv[i]);
654 }

On line 649, the index is fixed at 0, eventually leading to fgets()
attempting to read from an uninitialised stream.

The simplest fix is change the index:
649 setfiles[i] = stdin;

That way, ministat will error out complaining that, on the second reading,
stdin has fewer than 3 data points.
(A more logical fix would be to check explicitly for more than 1
occurrence of "-".)

Ross

No comments:

Post a Comment