Re: sed bug report - Segfault on L command with long address

[Jim Meyering]

On Tue, Dec 9, 2014 at 3:26 PM, Jodie Cunningham
<address@hidden> wrote:
> To reproduce, run:
> sed 'L222222' <<<d
>
> These do not segfault:
> sed 'L22222' <<<d
> sed 'L2222222222222222222222222' <<<d
>
> I do not have any expected behavior for this as it was just found by
> the fuzzer American Fuzzy Lop (lcamtuf.coredump.cx/afl/) .
>
> Test machine:
> Distributor ID: Ubuntu
> Description: Ubuntu 14.04.1 LTS
> Release: 14.04
> Codename: trusty
>
> sed:
>   Installed: 4.2.2-4ubuntu1
>   Candidate: 4.2.2-4ubuntu1
>   Version table:
>  *** 4.2.2-4ubuntu1 0
>         500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
>         100 /var/lib/dpkg/status
>
> $ sed --version
> sed (GNU sed) 4.2.2
>
> Tracked downstream at Ubuntu:
> https://bugs.launchpad.net/ubuntu/+source/sed/+bug/1400575

Thank you for that report.
I confirm it can still be triggered with the latest from git,
though with that, I had to add another "2" digit to your
reproducer.

Since the "L" command is GNU-sed-specific, and
documented to be a failed experiment (copying fmt.c
from coreutils' src/fmt.c back in 2002), I am strongly
inclined simply to remove that code, and have already
written the patch, just to see how much work it would
take.  I haven't yet written the NEWS entry.

Here's its description from "info sed":

'L N'
     This GNU 'sed' extension fills and joins lines in pattern space to
     produce output lines of (at most) N characters, like 'fmt' does; if
     N is omitted, the default as specified on the command line is used.
     This command is considered a failed experiment and unless there is
     enough request (which seems unlikely) will be removed in future
     versions.

At worst, I'll change it to emit a deprecation warning
upon first use of "L" for the next release, and remove
support altogether in the following one.

Does anyone know of distro-provided scripts
that rely on GNU sed's "L" command?