Re: Possible tgetstr() NULL pointer dereference

Hi,

OK, here is one last attempt, this time from source:

Download & build latest dev ncurses (ncurses-6.4-20230610 fetched from https://invisible-island.net/ncurses/#download_ncurses)
./configure
make
Copy the attached test.c to ncurses-6.4-20230610/lib/ and build:
gcc -O0 -g -o test test.c ./libncurses_g.a -I ../include/
Setup modified terminfo file from previous email:
mkdir -p ~/.terminfo/x
cp xterm-256color ~/.terminfo/x/xterm-256color-2
Run:
gdb ./test -ex 'set exec-wrapper env TERM=xterm-256color-2' -ex 'run'
This is the result I get at least:
    Program received signal SIGSEGV, Segmentation fault.
    tgetstr_sp (sp=<optimized out>, id=0x432838 "Ce", area=0x0) at ../ncurses/./tinfo/lib_termcap.c:361
    361 if (same_tcname(id, capname) && ValidExt(capname)) {

Cheers, -Greg.

On Thu, Jun 15, 2023 at 6:49 AM Thomas Dickey <dickey@his.com> wrote:

On Wed, Jun 14, 2023 at 04:00:02PM +0800, Gregory James DUCK wrote:
> Hi,
>
> It seems following modified/corrupted xterm-256color file (attached) seems
> to cause a crash in the tgetstr() function from libtinfo.so.6:
>
> $ cd ~
> $ mkdir -p .terminfo/x/
> $ cp xterm-256color .terminfo/x/
> $ vim
>
> Tested on Ubuntu 23.04. I think the corrupted file causes convert_strings()

hmm - Ubuntu's website chokes when I ask what version of ncurses that might be.

(since Ubuntu just recompiles whatever Debian has, it's not helpful to tell
the version of Ubuntu).

> to write a NULL entry to the tp->ext_Names array. Later, tgetstr() reads
> the value but assumes it is non-NULL leading to a crash (NULL pointer
> dereference). It is probably unlikely that the xterm-256color file would
> be directly modified by an end-user though.

maybe - it's working fine with current ncurses - but a reproducible bug
should be reported to Debian.

--
Thomas E. Dickey <dickey@invisible-island.net>
https://invisible-island.net

From:	Gregory James DUCK
Subject:	Re: Possible tgetstr() NULL pointer dereference
Date:	Thu, 15 Jun 2023 08:24:41 +0800