slang-users mailing list

[2004 Date Index] [2004 Thread Index] [Other years]
[Thread Prev] [Thread Next] [Date Prev] [Date Next]

[slang-users] Pointer corruption in slang version 1

Subject: [slang-users] Pointer corruption in slang version 1
From: Andriy I Pylypenko <bamby@xxxxxxxxx>
Date: Thu, 11 Nov 2004 18:17:30 +0200

Hi,

I use Midnight Commander under FreeBSD for several years. (Today I use
MC version 4.6.0 built using Slang version 1.4.9). All this time I
experience the following bug. MC always dumps core after executing about
200 commands through command line or external commands. This is a bit
annoying really, so today I 'scratched my itch' :-)

This crash comes from the SLtt_tgetstr() function (sldisply.c:2095):

	s = tgetstr (cap, &Termcap_String_Ptr);

Man page for tgetstr() function says:

-- cut --
SYNOPSIS
       char *tgetstr(const char *id, char **area);

DESCRIPTION
	The return value will also be copied to the buffer pointed to by 
area,  and  the area value will be updated to point past the null ending
this value.
-- cut --

So here we have 'static char *Termcap_String_Ptr' that is continuously
changing each call to tgetstr. Sooner or later it overruns and causes
application crash.

The Termcap_String_Ptr is static so it's accessible only within context
of the 'sldisply.c' file. The only usage for this pointer I discovered
is to act as the placeholder while calling the tgetstr() function. The
Termcap_String_Ptr points to the Termcap_String_Buf upon initialization.
The Termcap_String_Buf is also static and used only in conjunction with
Termcap_String_Ptr.

Apparently it's safe to replace the Termcap_String_Ptr with local
temporary pointer and I did so :-)

Please see the patch below.

-- 
  Kind regards,
  Andriy I Pylypenko
  PAI1-RIPE




--- sldisply.c.orig     Thu Nov 11 17:07:44 2004
+++ sldisply.c  Thu Nov 11 17:09:40 2004
@@ -2037,7 +2037,6 @@ static int Termcap_Initalized = 0;
 /* Termcap based system */
 static char Termcap_Buf[4096];
 static char Termcap_String_Buf[4096];
-static char *Termcap_String_Ptr;
 extern char *tgetstr(char *, char **);
 extern int tgetent(char *, char *);
 extern int tgetnum(char *);
@@ -2092,7 +2091,10 @@ char *SLtt_tgetstr (char *cap)
      return NULL;

 #ifdef USE_TERMCAP
-   s = tgetstr (cap, &Termcap_String_Ptr);
+   {
+     char *tmp_area = Termcap_String_Buf;
+     s = tgetstr (cap, &tmp_area);
+   }
 #else
    s = _SLtt_tigetstr (Terminfo, cap);
 #endif
@@ -2223,7 +2225,6 @@ int SLtt_initialize (char *term)
 # else                                /* USE_TERMCAP */
    if (1 != tgetent(Termcap_Buf, term))
      return -1;
-   Termcap_String_Ptr = Termcap_String_Buf;
 # endif                                       /* NOT USE_TERMCAP */

    Termcap_Initalized = 1;



_______________________________________________
To unsubscribe, visit http://jedsoft.org/slang/mailinglists.html

[2004 date index] [2004 thread index]
[Thread Prev] [Thread Next] [Date Prev] [Date Next]