From: jerry <mail@jerryfletcher.org>
Subject: vi(1) segfault with startup command bang containing %
To: tech@openbsd.org
Date: Sat, 2 Aug 2025 19:23:05 +0200

Hello,

while using vi(1) I encountered a bug that caused it to sefault when a
specific command was present in a startup file (.nexrc/.exrc) or in a
startup environment variable (NEXINIT/EXINIT).
The bug also affects nvi(1) from ports.
The fix was just a null pointer check.

The command has the form:
!<external-command> [some-parameters] % [some-parameters]

For example:
NEXINIT='!ls %' vi test

or adding !ls % in ~/.nexrc

Bye,
jerry

diff --git ex/ex_argv.c ex/ex_argv.c
index e8a6c5afd7f..785a7eb5ec0 100644
--- ex/ex_argv.c
+++ ex/ex_argv.c
@@ -321,7 +321,7 @@ argv_fexp(SCR *sp, EXCMD *excp, char *cmd, size_t cmdlen, char *p,
 			F_SET(excp, E_MODIFY);
 			break;
 		case '%':
-			if ((t = sp->frp->name) == NULL) {
+			if (sp->frp == NULL || (t = sp->frp->name) == NULL) {
 				msgq(sp, M_ERR,
 				    "No filename to substitute for %%");
 				return (1);