netbsd-bugs: Re: lib/30552: small bug in libedit might cause abnormal program termination

Subject: Re: lib/30552: small bug in libedit might cause abnormal program termination
To: None <gnats-bugs@netbsd.org, lib-bug-people@netbsd.org,>
From: Christos Zoulas <christos@zoulas.com>
List: netbsd-bugs
Date: 06/20/2005 20:46:03

On Jun 18, 10:05pm, bkoenig@cs.tu-berlin.de (bkoenig@cs.tu-berlin.de) wrote:
-- Subject: lib/30552: small bug in libedit might cause abnormal program term

| >Number:         30552
| >Category:       lib
| >Synopsis:       small bug in libedit might cause abnormal program termination
| >Confidential:   no
| >Severity:       non-critical
| >Priority:       low
| >Responsible:    lib-bug-people
| >State:          open
| >Class:          sw-bug
| >Submitter-Id:   net
| >Arrival-Date:   Sat Jun 18 22:05:00 +0000 2005
| >Originator:     Björn König
| >Release:        
| >Organization:
| >Environment:
| >Description:
| 	libedit covers several vi and emacs functions and stores
| 	descriptions about them in a structure called el_func_help
| 	which will be generated automatically. This structure is
| 	terminated by { NULL, 0, NULL } as customary to have an
|    	exit condition for use with loops. The problem is that
| 	the map_init function in lib/libedit/map.c do not respect
| 	this null-termination. It allocates memory for only N
| 	functions, but N+1 is necessary to include the termination.
| 	You'll get a segmentation fault in certain cases.
| 
| >How-To-Repeat:
| 	I'm not sure if this works with NetBSD, at least it does with FreeBSD. Unfornately I have no NetBSD system available.
| 	
| 	Set a language explicitly if you don't have set any.
| 
| 	   > setenv LANG en_US.ISO8859-1
| 
| 	Run a shell with built-in emacs command line editor.
| 
| 	   > sh -E
| 
| 	List all editor commands.
| 
| 	   $ bind -l 2>/dev/null
| 	   Segmentation fault (core dumped)

I don't think that is the case. EL_NUM_FCNS is one greater than
the total number of functions. The following does not core-dump...

christos

Index: map.c
===================================================================
RCS file: /cvsroot/src/lib/libedit/map.c,v
retrieving revision 1.20
diff -u -u -r1.20 map.c
--- map.c	13 Aug 2004 12:10:39 -0000	1.20
+++ map.c	21 Jun 2005 00:43:36 -0000
@@ -916,10 +916,18 @@
 	el->el_map.vii = el_map_vi_insert;
 	el->el_map.help = (el_bindings_t *) el_malloc(sizeof(el_bindings_t) *
 	    EL_NUM_FCNS);
 	if (el->el_map.help == NULL)
 		return (-1);
+	(void) memset(el->el_map.help, 1, sizeof(el_bindings_t) * EL_NUM_FCNS);
 	(void) memcpy(el->el_map.help, help__get(),
 	    sizeof(el_bindings_t) * EL_NUM_FCNS);
+	{
+		el_bindings_t *p = el->el_map.help;
+		for (;p->name;p++)
+			printf("%s\n", p->name);
+		printf("done\n");
+	}
+
 	el->el_map.func = (el_func_t *)el_malloc(sizeof(el_func_t) *
 	    EL_NUM_FCNS);
 	if (el->el_map.func == NULL)