>Number:         12963
>Category:       lib
>Synopsis:       Bug in libedit
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May 16 16:33:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Jason Waterman
>Release:        1.5
>Organization:
>Environment:
>Description:
In tty.c,v 1.14 in libedit, the function tty_bind_char() has a bug.
Line 766 should be changed from: 
 
   char new[2], old[2]; 
 
to: 
 
   unsigned char new[2], old[2];  
 
This is because new[] and old[] are used as an index to a command 
array, defined in map.c, and gets assignments from an unsigned char.
When 255 gets assigned to them, it gets converted to -1 which is out
of bounds. 


>How-To-Repeat:
I noticed this by getting a segfault running test.c from libedit.  This
was on an OpenBSD system, so test.c might seem to run fine here. 
>Fix:
See above
>Release-Note:
>Audit-Trail:
>Unformatted: