lib/53801: Segmentation fault in curses with pads

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/53801: Segmentation fault in curses with pads
From: june@causal.agency
Date: Wed, 19 Dec 2018 07:45:00 +0000 (UTC)

>Number:         53801
>Category:       lib
>Synopsis:       Segmentation fault in curses with pads
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Dec 19 07:45:00 +0000 2018
>Originator:     C. McEnroe
>Release:        8.0
>Organization:
>Environment:
NetBSD monday 8.0 NetBSD 8.0 (RPI2) #0: Tue Jul 17 14:59:51 UTC 2018  mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/evbarm/compile/RPI2 evbarm
>Description:
A call to wmove(3) following a call to prefresh(3) where the pad is drawn to the screen at coordinates outside the bounds of the pad will result in a segmentation fault. The call to prefresh(3) sets pad->cury and pad->curx out of bounds, and wmove(3) accesses pad->alines using those coordinates.
>How-To-Repeat:
#include <curses.h>
int main(void) {
        initscr();
        WINDOW *pad = newpad(1, COLS);
        prefresh(pad, 0, 0, 5, 0, 5, COLS - 1);
        wmove(pad, 0, 0);
}
>Fix:
pad->cury and pad->curx get set in prefresh on refresh.c:485. The LEAVEOK check above this seems inverted: the cursor position is changed when LEAVEOK is *not* set. The same appears in wrefresh. The position calculation is copied from wrefresh and results in coordinates outside of the pad bounds.

Prev by Date: Re: kern/53800 (ptrace crashes)
Next by Date: Re: kern/53800 (ptrace crashes)
Previous by Thread: Re: kern/53800 (ptrace crashes)
Next by Thread: Re: lib/53801: Segmentation fault in curses with pads
Indexes:

Home | Main Index | Thread Index | Old Index