My previous diff had this_line += extra_lines which was wrong:
it double-counts when the cursor has already moved forward
past the extra lines during processing.
The correct reset is this_line = 0. nflushd_lines is always
0 at this point (the mid-processing path at line 266 sets
extra_lines to 0 before updating nflushd_lines).
0 crashes out of 1000 random inputs containing \v on both
OpenBSD 7.9/amd64 and 7.9/i386 with UBSan (was ~14% before).
Index: usr.bin/col/col.c
===================================================================
RCS file: /cvs/src/usr.bin/col/col.c,v
retrieving revision 1.20
diff -u -p -r1.20 col.c
--- usr.bin/col/col.c 4 Dec 2022 23:50:47 -0000 1.20
+++ usr.bin/col/col.c
@@ -295,8 +295,11 @@ main(int argc, char *argv[])
l->l_max_col = cur_col;
cur_col++;
}
- if (extra_lines)
+ if (extra_lines) {
flush_lines(extra_lines);
+ l = lines;
+ this_line = 0;
+ }
/* goto the last line that had a character on it */
for (; l->l_next; l = l->l_next)
