libterminfo/tic crash

[Adam <adam%netbsd.org@localhost>]

Greetings,

Recent changes to lib/libterminfo and usr.bin/tic make tic crash on out-of-boundary memory access.

(this is on macOS):

tools.i386/bin/nbtic -Sx src/share/terminfo/terminfo
nbtic(86018,0x1187eedc0) malloc: Incorrect checksum for freed object 0x7fad17473290: probably modified after being freed.
Corrupt value: 0x700000000000ffff
nbtic(86018,0x1187eedc0) malloc: *** set a breakpoint in malloc_error_break to debug
Abort


Backtrace:

frame #10: 0x0000000100002f33 nbtic`_ti_grow_tbuf(tbuf=0x0000000100406e58, len=4) at compile.c:80:10
frame #11: 0x00000001000046e9 nbtic`_ti_compile(cap="\n\tpln@, rs3=\\EwG\\Ee)$<200>, use=wy160,", flags=21) at compile.c:627:9
frame #12: 0x0000000100001a53 nbtic`process_entry(buf=0x00007ffeefbff868, flags=21) at tic.c:181:8
frame #13: 0x00000001000016f4 nbtic`main(argc=3, argv=0x00007ffeefbff900) at tic.c:553:4


This patch fixes the problem:

diff -u -r1.14 compile.c
--- lib/libterminfo/compile.c	13 Mar 2020 15:19:25 -0000	1.14
+++ lib/libterminfo/compile.c	27 Mar 2020 11:42:22 -0000
@@ -625,7 +625,7 @@
 				if (_ti_find_cap(&tic->nums, 'n', ind) != NULL)
 					continue;
 				if (_ti_grow_tbuf(&tic->nums,
-					sizeof(uint16_t) * 2) == NULL)
+					sizeof(uint16_t) + sizeof(uint32_t)) == NULL)
 					goto error;
 				le16enc(tic->nums.buf + tic->nums.bufpos,
 				    (uint16_t)ind);


OK to commit? :)

Kind regards,
Adam