Re: set_field_buffer memory problems

bug-ncurses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: set_field_buffer memory problems

From:	Thomas Dickey
Subject:	Re: set_field_buffer memory problems
Date:	Sat, 06 Dec 2008 18:09:08 -0500
User-agent:	Mutt/1.5.18 (2008-05-17)

On Fri, Dec 05, 2008 at 10:40:28PM -0800, Mike Gran wrote:
> I'm running an unpatched 5.7, and I'm having difficulty with a crash in 
> set_field_buffer.  In the crash, glibc reports a double-free or corruption at 
> the call to "free(widevalue)" in set_field_buffer() at frm_driver.c:4394
> 
> I have wide characters enabled (linked against formw_g).
> 
> I couldn't seem to make a small program that reliably reproduced the crash, 
> but, I didn't make a small program that Valgrind flagged as bad.  Consider 
> the following
> 
> int main()
> {
>   FIELD *f;
> 
>   initscr();
>   f = new_field(1, 10, 0, 0, 0, 0);
>   field_opts_off(f, O_STATIC);
>   set_field_buffer(f, 0, "ABCDEFGHIJKLMNOPQRSTUVWXYZ");
>   free_field(f);
>   endwin();
> 
>   return 0;
> }
> 
> Valgrind complains about this
> 
> ==32214== Invalid write of size 4
> ==32214==    at 0x806512E: win_wchnstr (lib_in_wchnstr.c:67)
> ==32214==    by 0x80509DF: set_field_buffer (frm_driver.c:4380)
> ==32214==    by 0x8049768: main (f002_data.c:12)
> ==32214==  Address 0x41e5ee0 is 0 bytes after a block of size 648 alloc'd
> ==32214==    at 0x40218F9: calloc (vg_replace_malloc.c:397)
> ==32214==    by 0x805095B: set_field_buffer (frm_driver.c:4372)
> ==32214==    by 0x8049768: main (f002_data.c:12)
> 
> The problem might have something to do with this call in set_field_buffer() 
> ...
> 
> 4380              mvwin_wchnstr(field->working, i, 0,
> 4381                            widevalue + (i * field->dcols),
> 4382                            field->dcols);
> 
> .... where widevalue has been allocated to a smaller size than field->dcols.  
> There could be a write off then end of the widevalue array (?).

I see... Looks like the problem is from this change:

20081018
        + modify form library to accept control characters such as newline
          in set_field_buffer(), which is compatible with Solaris (report by
          Nit Khair).

That does a wresize() after the buffer-size was already computed.
Here's a fix:

diff -u -r1.88 frm_driver.c
--- frm_driver.c        2008/10/18 16:25:00     1.88 
+++ frm_driver.c        2008/12/06 23:08:12 
@@ -4366,6 +4366,7 @@ 
       delwin(field->working);
       field->working = newpad(field->drows, field->dcols);
     }
+  len = Buffer_Length(field); 
   wclear(field->working);
   mvwaddstr(field->working, 0, 0, value);

-- 
Thomas E. Dickey <address@hidden>
http://invisible-island.net
ftp://invisible-island.net

signature.asc
Description: Digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

set_field_buffer memory problems, Mike Gran, 2008/12/06
- Re: set_field_buffer memory problems, Thomas Dickey <=

Prev by Date: Re: attr_get
Next by Date: Re: Ncurses to control the color output only when writing to cout and cerr?
Previous by thread: set_field_buffer memory problems
Next by thread: attr_get
Index(es):
- Date
- Thread