column: segmentation fault on invalid unicode input passed to -s option

[Kamilcuk]

https://stackoverflow.com/questions/68954826/ansi-c-quoting-why-column-s-t-but-column-s-xhh-without-using-the/68955202#68955202

The following code segfaults:

$ echo 'a' | column -s "$(echo -e '\x99')" -t
Segmentation fault (core dumped)

There is a bug in column that does not check if the string passed to -s is a valid Unicode string. column calls wcspbrk to find input_separator (i.e. $'\x99') in the input stream. Because the string 0x99 is an invalid UTF-8 sequence, column calls wcspbrk with NULL as second argument, and it causes seg fault.

+ gdb --args column -s $'\231' -t
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7e4a192 in __wcschr_sse2 () from /usr/lib/libc.so.6
#0  0x00007ffff7e4a192 in __wcschr_sse2 () from /usr/lib/libc.so.6
#1  0x00007ffff7e395b3 in wcspbrk () from /usr/lib/libc.so.6
#2  0x00005555555588f6 in ?? ()
#3  0x00005555555575ba in ?? ()
#4  0x00007ffff7db7b25 in __libc_start_main () from /usr/lib/libc.so.6
#5  0x000055555555826e in ?? ()

There is a missing check in column when input arguments are parsed, it does not check if the return value of mbs_to_wcs, which calls mbstowcs to check the string passed to -s, is NULL. That could be fixed with something along:

case 's':
      free(ctl.input_separator);
      ctl.input_separator = mbs_to_wcs(optarg);
+     if (ctl.input_separator == NULL) {
+           errx(EXIT_FAILURE, _("blabla some message"));
+     }
      ctl.greedy = 0;

or some similar check after option parsing.

[karelzak]

Thanks for your bug report and bugfix suggestion!