NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: lib/54085: curses crash with non-ascii on bottom line
The following reply was made to PR lib/54085; it has been noted by GNATS.
From: mlelstv%serpens.de@localhost (Michael van Elst)
To: gnats-bugs%netbsd.org@localhost
Cc:
Subject: Re: lib/54085: curses crash with non-ascii on bottom line
Date: Thu, 28 Mar 2019 06:50:56 -0000 (UTC)
dholland%eecs.harvard.edu@localhost writes:
>Thread 2 received signal SIGSEGV, Segmentation fault.
>0x00007d0062c1adbd in ?? () from /usr/lib/libcurses.so.7
>(gdb) where
>#0 0x00007d0062c1adbd in ?? () from /usr/lib/libcurses.so.7
>#1 0x00007d0062c1c63e in doupdate () from /usr/lib/libcurses.so.7
>#2 0x00007d0062c1de6d in wrefresh () from /usr/lib/libcurses.so.7
>#3 0x0000000000400ccb in main () at curse.c:13
>(gdb) x/i 0x00007d0062c1adbd
>=> 0x7d0062c1adbd: mov (%rdx),%ecx
>(gdb)
The crash happens when accessing
win->alines[H-1]->line[W]
and
scr->alines[H-1]->line[W]
respectively. Both use an out of range column index and reach
a guard area with the 0xa5 pattern.
This is caused by code in makech(). It maintains two pointers
nsp and csp that correspond to the line data at column wx.
wx is checked against the line width to avoid dereferencing
invalid pointers, but in lines 1350ff the pointers are
incremented (by 1) while the index is incremented by chw
which, for wide chars, is the result of a wcwidth() call
that may result in 0 or -1 for invalid byte sequences.
--
--
Michael van Elst
Internet: mlelstv%serpens.de@localhost
"A potential Snark may lurk in every tree."
Home |
Main Index |
Thread Index |
Old Index