>Number:         30552
>Category:       lib
>Synopsis:       small bug in libedit might cause abnormal program termination
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jun 18 22:05:00 +0000 2005
>Originator:     Björn König
>Release:        
>Organization:
>Environment:
>Description:
	libedit covers several vi and emacs functions and stores
	descriptions about them in a structure called el_func_help
	which will be generated automatically. This structure is
	terminated by { NULL, 0, NULL } as customary to have an
   	exit condition for use with loops. The problem is that
	the map_init function in lib/libedit/map.c do not respect
	this null-termination. It allocates memory for only N
	functions, but N+1 is necessary to include the termination.
	You'll get a segmentation fault in certain cases.

>How-To-Repeat:
	I'm not sure if this works with NetBSD, at least it does with FreeBSD. Unfornately I have no NetBSD system available.
	
	Set a language explicitly if you don't have set any.

	   > setenv LANG en_US.ISO8859-1

	Run a shell with built-in emacs command line editor.

	   > sh -E

	List all editor commands.

	   $ bind -l 2>/dev/null
	   Segmentation fault (core dumped)
>Fix:
See http://www.freebsd.org/cgi/query-pr.cgi?pr=82381