Bug 2016

Summary:	argp --help infloop, via ARGP_HELP_FMT envvar
Product:	glibc	Reporter:	Jim Meyering <list+redhat-bugzilla>
Component:	argparse	Assignee:	Roland McGrath <roland>
Status:	NEW ---
Severity:	normal	CC:	fweimer, glibc-bugs, van.de.bugger
Priority:	P2	Flags:	fweimer: security-
Version:	2.12
Target Milestone:	---
Host:		Target:
Build:		Last reconfirmed:
Attachments:	A Minimal Program Using Argp Patch from gnulib to resolve this issue.

Description Jim Meyering 2005-12-09 18:23:34 UTC

You can make any argp-using program infloop simply by running it
with --help and with something like ARGP_HELP_FMT=rmargin=a in the
environment.  Or use a valid (but small) width: ARGP_HELP_FMT=rmargin=2

  $ time ARGP_HELP_FMT=rmargin=2 tar --help > /dev/null
  ARGP_HELP_FMT=rmargin=2 tar --help > /dev/null  35.49s user 0.17s system 97% cp
u 36.648 total
  [Exit 130 (INT)]

Comment 1 Dwayne Grant McConnell 2005-12-12 19:10:28 UTC

Do you have a simple testcase handy?

Comment 2 jim@meyering.net 2005-12-12 19:46:24 UTC

Subject: Re:  argp --help infloop, via ARGP_HELP_FMT envvar

"decimal at us dot ibm dot com" <sourceware-bugzilla@sourceware.org> wrote:
> Do you have a simple testcase handy?

No.
FYI, there's already a fix in gnulib:

  http://lists.gnu.org/archive/html/bug-gnulib/2005-12/msg00042.html

Comment 3 jim@meyering.net 2005-12-12 20:24:40 UTC

Subject: Re:  argp --help infloop, via ARGP_HELP_FMT envvar

"decimal at us dot ibm dot com" <sourceware-bugzilla@sourceware.org> wrote:
> Do you have a simple testcase handy?

If you need a simple testcase, one of the four in
the glibc manual should do nicely.

Comment 4 Dwayne Grant McConnell 2005-12-12 20:44:31 UTC

I was able to reproduce.

Comment 5 Dwayne Grant McConnell 2005-12-12 20:47:42 UTC

Created attachment 799 [details]
A Minimal Program Using Argp

To reproduce the problem use
gcc -o glibc-2016-test glibc-2016-test.c
ARGP_HELP_FMT=rmargin=2 ./glibc-2016-test --help

Comment 6 Dwayne Grant McConnell 2005-12-13 19:20:46 UTC

Created attachment 801 [details]
Patch from gnulib to resolve this issue.

This patch was taken from
http://lists.gnu.org/archive/html/bug-gnulib/2005-12/msg00042.html
and resolves the problem. I have tested on ppc64 and ppc.

Comment 7 Dwayne Grant McConnell 2005-12-14 20:52:02 UTC

Sent a note to the gnulib argp maintainer to verify that copyright assignment
has already happened for this fix.

Comment 8 Dwayne Grant McConnell 2005-12-16 22:22:36 UTC

It seems the copyright assignment is in progress with the FSF.

The gnulib argp maintainer is interested in seeing other fixes get into glibc.
Not sure if there is any interest on the glibc end. Perhaps there is a policy to
only take fixes reported by users? or perhaps the goal would be to track gnulib
more closely if the resources were available to do it?

Comment 9 Roland McGrath 2005-12-22 01:08:16 UTC

The policy wrt gnulib copies of glibc code is that glibc's trunk is the master
source and gnulib maintainers have previously agreed to submit fixes to glibc
piecemeal as they come up, so as to keep the code in synch.  gnulib maintainers
can contact me to expedite any languishing gnulib patches, and they should
already be aware of this.  Anyone doing glibc bugzilla triage can identify
patches from gnulib maintainers and assign those bugs to me.

For future reference, a case like this does not need a small test case program
supplied.  It is sufficient if a command line using locale or suchlike is a good
test case.

Comment 10 Dwayne Grant McConnell 2006-02-09 21:20:20 UTC

Thanks for the info. The maintainer informed me that this was committed to gnulib.

Comment 11 Ulrich Drepper 2007-09-24 03:19:17 UTC

The attached patch does not only not apply, even after fixing it up it doesn't
solve the problem.  Either it never worked or the gnulib version is sufficiently
different.  Please provide a correct patch.

Comment 12 Petr Baudis 2010-06-01 03:29:33 UTC

no response

Comment 13 jim@meyering.net 2010-06-01 05:40:09 UTC

This bug report is still valid and the bug afflicts rawhide's
glibc-2.12.90-1.x86_64. Running this example from the manual still infloops:

$ cat k.c; gcc k.c; ARGP_HELP_FMT=rmargin=2 ./a.out --help > /dev/null
#include <argp.h>
int main (int argc, char **argv)
{
  argp_parse (0, argc, argv, 0, 0, 0);
  return 0;
}
^C

Comment 14 jim@meyering.net 2010-06-01 10:17:10 UTC

FYI, the referenced patch ensures that the new function, validate_uparams, is
used to reject invalid parameters.  Rerunning my example, built against the
version in gnulib produces this:

a.out: ARGP_HELP_FMT: rmargin value is less than or equal to short-opt-col

Comment 15 Florian Weimer 2018-04-19 14:16:49 UTC

Still not fixed in master.

Comment 16 van.de.bugger 2021-04-06 03:05:33 UTC

If a program uses options with OPTION_DOC flag, ARGP_HELP_FMT is able to crash it:

$ cat ./example.c 
#include <argp.h>

char doc[] = "Argp example\vThis part of the documentation comes *after* the options";

struct argp_option options[] = { {"Doc option",0,0,OPTION_DOC}, {0} };

error_t parse_opt (int key, char *arg, struct argp_state *state) {
  switch (key) {
    default: return ARGP_ERR_UNKNOWN;
  }
  return 0;
}

struct argp argp = { options, parse_opt, "", doc };

int main (int argc, char **argv) {
  argp_parse (&argp, argc, argv, 0, 0, 0);
  return 0;
}

$ gcc -Wall ./example.c

$ ./a.out --help
Usage: a.out [OPTION...] 
Argp example

  Doc option
  -?, --help                 Give this help list
      --usage                Give a short usage message

This part of the documentation comes *after* the options

$ ARGP_HELP_FMT=opt-doc-col=2,rmargin=12 ./a.out --help
            Usage:
            a.out            
            [OPTION...]            


rgp example

  Doc
  option
Segmentation fault (core dumped)