bin/41581: [dM] window segfaults with certain terminals

[der Mouse <mouse%Rodents-Montreal.ORG@localhost>]

>Number:         41581
>Category:       bin
>Synopsis:       [dM] window SEGV with certain terminals
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jun 12 14:00:00 +0000 2009
>Originator:     der Mouse
>Release:        NetBSD 4.0.1, also in 4.0 and 3.1, probably -current
>Organization:
        Dis-
>Environment:
System: NetBSD NetBSD-401.Rodents-Montreal.ORG 4.0.1 NetBSD 4.0.1 (GEN401) #0: 
Wed May 27 10:57:54 EDT 2009 
mouse%NetBSD-401.Rodents-Montreal.ORG@localhost:/home/mouse/kbuild/GEN401 i386
Architecture: i386
Machine: i386
More generally, any using usr.bin/window/ttgeneric.c,v 1.9, probably at
least some other versions too.
>Description:
        When used with a terminal type supporting standout but not
        underline (se/so but not ue/uo) window will segfault early in
        startup (after clearing the screen but before drawing anything
        more).  Code inspection makes me think there is risk of a
        similar segfault for terminal types with underline but no
        standout.

        This is because the code is of the form

        if (!strcmp(x->...,y->...) && y && z && ...)

        that is, it uses a variable before testing it to determine
        whether the use is safe.  (x is tested in a surrounding if.)
        (It also pessimizes the order of the tests, putting the most
        expensive test first, and arguably should be fixed for that
        reason if no other.)

        -current (ttgeneric.c,v 1.10) has similarly botched code.   I
        haven't tested it to see whether it segfaults, but looking at
        the diff between 1.9 (the one 3.1, 4.0, and 4.0.1 use, and
        which definitely suffers) and 1.10 (-current) makes me think it
        does not affect this either way; it appears to be nothing but a
        const-poisoning change.  I infer that 5.0 probably suffers too.
>How-To-Repeat:
        Set up - or choose - a terminal type with se/so but without
        ue/uo.  Start window.  Watch it segfault.
>Fix:
        --- base/usr.bin/window/ttgeneric.c     Thu Aug  7 07:17:30 2003
        +++ live/usr.bin/window/ttgeneric.c     Fri Jun 12 09:28:09 2009
        @@ -169,8 +169,8 @@
                        } else
                                if (gen_SE) {
                                        ttxputs(gen_SE);
        -                               if (!strcmp(gen_SE->ts_str, 
gen_UE->ts_str) &&
        -                                   gen_UE && gen_US && new & WWM_UL)
        +                               if (gen_UE && gen_US && new & WWM_UL &&
        +                                   !strcmp(gen_SE->ts_str, 
gen_UE->ts_str))
                                                ttxputs(gen_US);
                                }
                }
        @@ -181,8 +181,8 @@
                        } else
                                if (gen_UE) {
                                        ttxputs(gen_UE);
        -                               if (!strcmp(gen_UE->ts_str, 
gen_SE->ts_str) &&
        -                                   gen_SE && gen_SO && new & WWM_REV)
        +                               if (gen_SE && gen_SO && new & WWM_REV &&
        +                                   !strcmp(gen_UE->ts_str, 
gen_SE->ts_str))
                                                ttxputs(gen_SO);
                                }
                }

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B