[src/trunk]: src/lib/libcurses avoid accessing stack garbage.

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/lib/libcurses avoid accessing stack garbage.
From: mrg <mrg%NetBSD.org@localhost>
Date: Sat, 08 May 2021 08:23:46 +0000

details:   https://anonhg.NetBSD.org/src/rev/305e67ec7395
branches:  trunk
changeset: 983180:305e67ec7395
user:      mrg <mrg%NetBSD.org@localhost>
date:      Sat May 08 04:29:07 2021 +0000

description:
avoid accessing stack garbage.

on arm64eb resuming vi(1) would often crash.  in makech(), the 'csp'
variable is either set to current window data, or a local stack
variable's address '&blank'.  the window data has many lines of info
stored, and 'csp++' is used per line here.  unfortunately, a case
existed where 'csp++' operated on csp initialised from '&blank' which
eventually crashes when, on my display with 160 columns and 'csp + 155'
exceeds the mapped stack and crashes.

match the '!_cursesi_screen->curwin' conditional that initialises csp,
and avoid csp++ here.  assert() that csp != &blank in both places that
modify csp.

thanks to jdc@ and mlelstv@.

XXX: possibly also should avoid the putch() here as well.

diffstat:

 lib/libcurses/refresh.c |  11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

diffs (45 lines):

diff -r 30e9d764a993 -r 305e67ec7395 lib/libcurses/refresh.c
--- a/lib/libcurses/refresh.c   Sat May 08 00:27:02 2021 +0000
+++ b/lib/libcurses/refresh.c   Sat May 08 04:29:07 2021 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: refresh.c,v 1.112 2020/02/24 12:20:29 rin Exp $        */
+/*     $NetBSD: refresh.c,v 1.113 2021/05/08 04:29:07 mrg Exp $        */
 
 /*
  * Copyright (c) 1981, 1993, 1994
@@ -34,13 +34,14 @@
 #if 0
 static char sccsid[] = "@(#)refresh.c  8.7 (Berkeley) 8/13/94";
 #else
-__RCSID("$NetBSD: refresh.c,v 1.112 2020/02/24 12:20:29 rin Exp $");
+__RCSID("$NetBSD: refresh.c,v 1.113 2021/05/08 04:29:07 mrg Exp $");
 #endif
 #endif                         /* not lint */
 
 #include <poll.h>
 #include <stdlib.h>
 #include <string.h>
+#include <assert.h>
 
 #include "curses.h"
 #include "curses_private.h"
@@ -1322,6 +1323,7 @@
                                                csp->ch = (wchar_t)btowc((int)' ');
                                                SET_WCOL( *csp, 1 );
 #endif /* HAVE_WCHAR */
+                                               assert(csp != &blank);
                                                csp++;
                                        }
                                        return OK;
@@ -1368,7 +1370,10 @@
                        {
                                if (putch(nsp, csp, wy, wx) == ERR)
                                        return ERR;
-                               csp++;
+                               if (!_cursesi_screen->curwin) {
+                                       assert(csp != &blank);
+                                       csp++;
+                               }
                        } else {
                                putattr(nsp);
                                putattr_out(nsp);

Prev by Date: [src/thorpej-i2c-spi-conf]: src/sys/dev Update the i2c mux code for the new e...
Next by Date: [src/trunk]: src/sys/arch/vax/vsa Catch up with this commit:
Previous by Thread: [src/thorpej-i2c-spi-conf]: src/sys/dev Update the i2c mux code for the new e...
Next by Thread: [src/trunk]: src/sys/arch/vax/vsa Catch up with this commit:
Indexes:

Home | Main Index | Thread Index | Old Index