md5sum -c: ignore a line with a NUL byte among checksum hex digits

* src/md5sum.c (hex_digits): Require that all "digest_hex_bytes"
be hexadecimal digits, not just those before the first NUL byte.
This bug dates back to the original version:
3763a4f24eb21be40674d13ff7b04e078f473e85
* tests/misc/md5sum (nul-in-cksum): Test for the above.
* NEWS [Bug fixes]: Mention this.
Prompted by a report from Flóki Pálsson in
http://bugzilla.redhat.com/439531

diff --git a/NEWS b/NEWS
index 3a584e9cc301b9cf2ef4f40d733c04b281cc021a..3cc7151d439600b49e5df6aa1efd12ee5e731092 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,13 @@ GNU coreutils NEWS                                    -*- outline -*-
   sha1sum, sha224sum, sha384sum, and sha512sum are affected, too.
   [bug introduced in coreutils-5.1.0]
 
+  md5sum -c would accept a NUL-containing checksum string like "abcd\0..."
+  and would unnecessarily read and compute the checksum of the named file,
+  and then compare that checksum to the invalid one: guaranteed to fail.
+  Now, it recognizes that the line is not valid and skips it.
+  sha1sum, sha224sum, sha384sum, and sha512sum are affected, too.
+  [bug present in the original version, in coreutils-4.5.1, 1995]
+
   "mkdir -Z x dir" no longer segfaults when diagnosing invalid context "x"
   mkfifo and mknod would fail similarly.  Now they're fixed.
 

diff --git a/src/md5sum.c b/src/md5sum.c
index ba762d149a06aeb07a0fd310c07097ae1d259db4..f83a7b1152604cf512e5a31a8dbabdfcd3f7756a 100644 (file)
--- a/src/md5sum.c
+++ b/src/md5sum.c
@@ -343,16 +343,19 @@ split_3 (char *s, size_t s_len,
   return true;
 }
 
+/* Return true if S is a NUL-terminated string of DIGEST_HEX_BYTES hex digits.
+   Otherwise, return false.  */
 static bool
 hex_digits (unsigned char const *s)
 {
-  while (*s)
+  unsigned int i;
+  for (i = 0; i < digest_hex_bytes; i++)
     {
       if (!isxdigit (*s))
         return false;
       ++s;
     }
-  return true;
+  return *s == '\0';
 }
 
 /* An interface to the function, DIGEST_STREAM.

diff --git a/tests/misc/md5sum b/tests/misc/md5sum
index 25069fd1575f89ab0d45fe68736be656cf66dcc1..474656f24405c40b8ef5be282b994a378f014a71 100755 (executable)
--- a/tests/misc/md5sum
+++ b/tests/misc/md5sum
@@ -66,6 +66,14 @@ my @Tests =
                                {AUX=> {f=> 'bar'}}, {EXIT=> 1}],
      ['bsd-segv', '--check', {IN=> {'z' => "MD5 ("}}, {EXIT=> 1},
       {ERR=> "$prog: z: no properly formatted MD5 checksum lines found\n"}],
+
+     # Ensure that when there's a NUL byte among the checksum hex digits
+     # we detect the invalid formatting and don't even open the file.
+     # Up to coreutils-6.10, this would report:
+     #   h: FAILED
+     #   md5sum: WARNING: 1 of 1 computed checksum did NOT match
+     ['nul-in-cksum', '--check', {IN=> {'h'=>("\0"x32)."  h\n"}}, {EXIT=> 1},
+      {ERR=> "$prog: h: no properly formatted MD5 checksum lines found\n"}],
     );
 
 # Insert the `--text' argument for each test.