Subject: Re: lib/30552: small bug in libedit might cause abnormal program termination
To: None <lib-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Christos Zoulas <christos@zoulas.com>
List: netbsd-bugs
Date: 06/21/2005 00:47:02 
The following reply was made to PR lib/30552; it has been noted by GNATS.

From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@netbsd.org, lib-bug-people@netbsd.org,
	gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc: bkoenig@cs.tu-berlin.de
Subject: Re: lib/30552: small bug in libedit might cause abnormal program termination
Date: Mon, 20 Jun 2005 20:46:03 -0400

 On Jun 18, 10:05pm, bkoenig@cs.tu-berlin.de (bkoenig@cs.tu-berlin.de) wrote:
 -- Subject: lib/30552: small bug in libedit might cause abnormal program term
 
 | >Number:         30552
 | >Category:       lib
 | >Synopsis:       small bug in libedit might cause abnormal program termination
 | >Confidential:   no
 | >Severity:       non-critical
 | >Priority:       low
 | >Responsible:    lib-bug-people
 | >State:          open
 | >Class:          sw-bug
 | >Submitter-Id:   net
 | >Arrival-Date:   Sat Jun 18 22:05:00 +0000 2005
 | >Originator:     Björn König
 | >Release:        
 | >Organization:
 | >Environment:
 | >Description:
 | 	libedit covers several vi and emacs functions and stores
 | 	descriptions about them in a structure called el_func_help
 | 	which will be generated automatically. This structure is
 | 	terminated by { NULL, 0, NULL } as customary to have an
 |    	exit condition for use with loops. The problem is that
 | 	the map_init function in lib/libedit/map.c do not respect
 | 	this null-termination. It allocates memory for only N
 | 	functions, but N+1 is necessary to include the termination.
 | 	You'll get a segmentation fault in certain cases.
 | 
 | >How-To-Repeat:
 | 	I'm not sure if this works with NetBSD, at least it does with FreeBSD. Unfornately I have no NetBSD system available.
 | 	
 | 	Set a language explicitly if you don't have set any.
 | 
 | 	   > setenv LANG en_US.ISO8859-1
 | 
 | 	Run a shell with built-in emacs command line editor.
 | 
 | 	   > sh -E
 | 
 | 	List all editor commands.
 | 
 | 	   $ bind -l 2>/dev/null
 | 	   Segmentation fault (core dumped)
 
 I don't think that is the case. EL_NUM_FCNS is one greater than
 the total number of functions. The following does not core-dump...
 
 christos
 
 Index: map.c
 ===================================================================
 RCS file: /cvsroot/src/lib/libedit/map.c,v
 retrieving revision 1.20
 diff -u -u -r1.20 map.c
 --- map.c	13 Aug 2004 12:10:39 -0000	1.20
 +++ map.c	21 Jun 2005 00:43:36 -0000
 @@ -916,10 +916,18 @@
  	el->el_map.vii = el_map_vi_insert;
  	el->el_map.help = (el_bindings_t *) el_malloc(sizeof(el_bindings_t) *
  	    EL_NUM_FCNS);
  	if (el->el_map.help == NULL)
  		return (-1);
 +	(void) memset(el->el_map.help, 1, sizeof(el_bindings_t) * EL_NUM_FCNS);
  	(void) memcpy(el->el_map.help, help__get(),
  	    sizeof(el_bindings_t) * EL_NUM_FCNS);
 +	{
 +		el_bindings_t *p = el->el_map.help;
 +		for (;p->name;p++)
 +			printf("%s\n", p->name);
 +		printf("done\n");
 +	}
 +
  	el->el_map.func = (el_func_t *)el_malloc(sizeof(el_func_t) *
  	    EL_NUM_FCNS);
  	if (el->el_map.func == NULL)