Fix sed(1) in the case where a last line is specified and hold space is not

specified, and then the first part of the pattern space is deleted, when
there are two or more input lines, as this results in subtraction of one from
an unsigned integral value of '0'.  That bogus value is used in one case
for a loop (that will run far too many times in this case) and a function to
search for a value within a specified range of memory, however now the range
of memory is obscenely large and a segmentation fault will occur.  This is
fixed by checking for and appropriately handling a nil pattern space as if
the specified search in memory failed, as indeed it obviously will with nil
pattern space.

Submitted by:	Tim J. Robbins <tim@robbins.dropbear.id.au>
PR:		bin/34813
Reviewed by:	mike
MFC after:	1 day

1 files changed, 5 insertions, 3 deletions

diff --git a/usr.bin/sed/process.c b/usr.bin/sed/process.c
index ff3cb1913889..a1e3ca72756c 100644
--- a/usr.bin/sed/process.c
+++ b/usr.bin/sed/process.c
@@ -136,7 +136,8 @@ redirect:
 			case 'D':
 				if (pd)
 					goto new;
-				if ((p = memchr(ps, '\n', psl - 1)) == NULL) {
+				if (psl == 0 ||
+				    (p = memchr(ps, '\n', psl - 1)) == NULL) {
 					pd = 1;
 					goto new;
 				} else {
@@ -188,7 +189,8 @@ redirect:
 			case 'P':
 				if (pd)
 					break;
-				if ((p = memchr(ps, '\n', psl - 1)) != NULL) {
+				if (psl != 0 &&
+				    (p = memchr(ps, '\n', psl - 1)) != NULL) {
 					oldpsl = psl;
 					psl = (p + 1) - ps;
 				}
@@ -240,7 +242,7 @@ redirect:
 				HS = tspace;
 				break;
 			case 'y':
-				if (pd)
+				if (pd || psl == 0)
 					break;
 				for (p = ps, len = psl; --len; ++p)
 					*p = cp->u.y[(unsigned char)*p];