Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/lib/libcurses avoid accessing stack garbage.
details: https://anonhg.NetBSD.org/src/rev/305e67ec7395
branches: trunk
changeset: 983180:305e67ec7395
user: mrg <mrg%NetBSD.org@localhost>
date: Sat May 08 04:29:07 2021 +0000
description:
avoid accessing stack garbage.
on arm64eb resuming vi(1) would often crash. in makech(), the 'csp'
variable is either set to current window data, or a local stack
variable's address '&blank'. the window data has many lines of info
stored, and 'csp++' is used per line here. unfortunately, a case
existed where 'csp++' operated on csp initialised from '&blank' which
eventually crashes when, on my display with 160 columns and 'csp + 155'
exceeds the mapped stack and crashes.
match the '!_cursesi_screen->curwin' conditional that initialises csp,
and avoid csp++ here. assert() that csp != &blank in both places that
modify csp.
thanks to jdc@ and mlelstv@.
XXX: possibly also should avoid the putch() here as well.
diffstat:
lib/libcurses/refresh.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)
diffs (45 lines):
diff -r 30e9d764a993 -r 305e67ec7395 lib/libcurses/refresh.c
--- a/lib/libcurses/refresh.c Sat May 08 00:27:02 2021 +0000
+++ b/lib/libcurses/refresh.c Sat May 08 04:29:07 2021 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: refresh.c,v 1.112 2020/02/24 12:20:29 rin Exp $ */
+/* $NetBSD: refresh.c,v 1.113 2021/05/08 04:29:07 mrg Exp $ */
/*
* Copyright (c) 1981, 1993, 1994
@@ -34,13 +34,14 @@
#if 0
static char sccsid[] = "@(#)refresh.c 8.7 (Berkeley) 8/13/94";
#else
-__RCSID("$NetBSD: refresh.c,v 1.112 2020/02/24 12:20:29 rin Exp $");
+__RCSID("$NetBSD: refresh.c,v 1.113 2021/05/08 04:29:07 mrg Exp $");
#endif
#endif /* not lint */
#include <poll.h>
#include <stdlib.h>
#include <string.h>
+#include <assert.h>
#include "curses.h"
#include "curses_private.h"
@@ -1322,6 +1323,7 @@
csp->ch = (wchar_t)btowc((int)' ');
SET_WCOL( *csp, 1 );
#endif /* HAVE_WCHAR */
+ assert(csp != &blank);
csp++;
}
return OK;
@@ -1368,7 +1370,10 @@
{
if (putch(nsp, csp, wy, wx) == ERR)
return ERR;
- csp++;
+ if (!_cursesi_screen->curwin) {
+ assert(csp != &blank);
+ csp++;
+ }
} else {
putattr(nsp);
putattr_out(nsp);
Home |
Main Index |
Thread Index |
Old Index