[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Segfault resizing with multiline strings

From: Toshio Kuratomi
Subject: Segfault resizing with multiline strings
Date: Wed, 8 May 2019 10:49:49 -0700

Hi, I've been diagnosing a bug reported to the python stdlib about
their curses library segfaulting in certain circumstances (
https://bugs.python.org/issue35924 ).  After some debugging, I believe
this is an ncurses bug which is encountered when resizing a window
which has a line with embedded newlines.

Steps to reproduce in C:
* I'll attach a small test program.  (My C is atrocious but hopefully
it is sufficient to demonstrate the bug occurs in ncurses without the
presence of Python in the mix).
  * Compile the program: gcc test-curses.c -lncurses -o test-curses -g
  * Run in a resizable window (xterm works fine)
  * Resize the window top to bottom or bottom to top so that the lines
of characters on the screen are hidden and then should be restored.
(*not* left to right).
  * The program will segfault.
  * This is not 100% repeatable for me.  I usually have to resize
several times and once in a while I have to close the program (via
Ctrl-C) and re-run it.  But it happens nearly every time.

Some things I've discovered in Python:
* The user posted a reproducer using the Python bindings in the Python
stdlib to the bugs.python.org bug tracker.  I played around with the
code posted there and found that when the user's code contains:

    box = '\n'.join('+'*x for _ in range(y))
    w.addstr(0, 0, box)

then the code segfaults.  If I change that to be:

    box = '\n'.join('+'*x for _ in range(y))
    # Add each line via a separate addstr() call
    for offset, line in enumerate(box.splitlines()):
        w.addstr(offset, 0, line)

then the code will raise an expected exception.
  * As the user states, we do expect that ncurses will return an error
here, but not SegFault.
  * When I was playing around with the python code, I came to think
there might be an off-by-one error in wresize()  Changing
./ncurses/base/wresize.c:Line 206
-              for (row = ToLines + 1; row <= size_y; row++) {
+              for (row = ToLines + 2; row <= size_y; row++) {

Fixed the segfault that was occurring in the user's Python code.
However, even with this change, my C test program still SegFaulted.
So I think that that particular change to wresize.c was either
treating symptoms rather than causes or else there are multiple places
which can SegFault.

Hope this is enough information to reproduce and figure out a fix,

Attachment: test-curses.c
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]