[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Possible tgetstr() NULL pointer dereference

From: Gregory James DUCK
Subject: Re: Possible tgetstr() NULL pointer dereference
Date: Thu, 15 Jun 2023 08:24:41 +0800


OK, here is one last attempt, this time from source:
  1. Download & build latest dev ncurses (ncurses-6.4-20230610 fetched from https://invisible-island.net/ncurses/#download_ncurses)

  2. Copy the attached test.c to ncurses-6.4-20230610/lib/ and build:
        gcc -O0 -g -o test test.c ./libncurses_g.a -I ../include/
  3. Setup modified terminfo file from previous email:
          mkdir -p ~/.terminfo/x
        cp xterm-256color ~/.terminfo/x/xterm-256color-2
  4. Run:
        gdb ./test -ex 'set exec-wrapper env TERM=xterm-256color-2' -ex 'run'
  5. This is the result I get at least:
        Program received signal SIGSEGV, Segmentation fault.
        tgetstr_sp (sp=<optimized out>, id=0x432838 "Ce", area=0x0) at ../ncurses/./tinfo/lib_termcap.c:361
        361                     if (same_tcname(id, capname) && ValidExt(capname)) {
Cheers, -Greg.

On Thu, Jun 15, 2023 at 6:49 AM Thomas Dickey <dickey@his.com> wrote:
On Wed, Jun 14, 2023 at 04:00:02PM +0800, Gregory James DUCK wrote:
> Hi,
> It seems following modified/corrupted xterm-256color file (attached) seems
> to cause a crash in the tgetstr() function from libtinfo.so.6:
>     $ cd ~
>     $ mkdir -p .terminfo/x/
>     $ cp xterm-256color .terminfo/x/
>     $ vim
> Tested on Ubuntu 23.04.  I think the corrupted file causes convert_strings()

hmm - Ubuntu's website chokes when I ask what version of ncurses that might be.

(since Ubuntu just recompiles whatever Debian has, it's not helpful to tell
the version of Ubuntu).

> to write a NULL entry to the tp->ext_Names array.  Later, tgetstr() reads
> the value but assumes it is non-NULL leading to a crash (NULL pointer
> dereference).  It is probably unlikely that the xterm-256color file would
> be directly modified by an end-user though.

maybe - it's working fine with current ncurses - but a reproducible bug
should be reported to Debian.

Thomas E. Dickey <dickey@invisible-island.net>

Attachment: test.c
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]