NetBSD Problem Report #53801

From www@NetBSD.org  Wed Dec 19 07:42:31 2018
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 2164C7A153
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 19 Dec 2018 07:42:31 +0000 (UTC)
Message-Id: <20181219074229.D53117A1D7@mollari.NetBSD.org>
Date: Wed, 19 Dec 2018 07:42:29 +0000 (UTC)
From: june@causal.agency
Reply-To: june@causal.agency
To: gnats-bugs@NetBSD.org
Subject: Segmentation fault in curses with pads
X-Send-Pr-Version: www-1.0

>Number:         53801
>Notify-List:    uwe@NetBSD.org
>Category:       lib
>Synopsis:       Segmentation fault in curses with pads
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          needs-pullups
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Dec 19 07:45:00 +0000 2018
>Closed-Date:    
>Last-Modified:  Mon May 27 14:37:00 +0000 2019
>Originator:     C. McEnroe
>Release:        8.0
>Organization:
>Environment:
NetBSD monday 8.0 NetBSD 8.0 (RPI2) #0: Tue Jul 17 14:59:51 UTC 2018  mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/evbarm/compile/RPI2 evbarm
>Description:
A call to wmove(3) following a call to prefresh(3) where the pad is
drawn to the screen at coordinates outside the bounds of the pad will
result in a segmentation fault.  The call to prefresh(3) sets
pad->cury and pad->curx out of bounds, and wmove(3) accesses
pad->alines using those coordinates.
>How-To-Repeat:
#include <curses.h>
int main(void) {
        initscr();
        WINDOW *pad = newpad(1, COLS);
        prefresh(pad, 0, 0, 5, 0, 5, COLS - 1);
        wmove(pad, 0, 0);
}
>Fix:
pad->cury and pad->curx get set in prefresh on refresh.c:485.
The LEAVEOK check above this seems inverted: the cursor position is
changed when LEAVEOK is *not* set.  The same appears in wrefresh.
The position calculation is copied from wrefresh and results in
coordinates outside of the pad bounds.

>Release-Note:

>Audit-Trail:

From: Valery Ushakov <uwe@stderr.spb.ru>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: lib/53801: Segmentation fault in curses with pads
Date: Sat, 5 Jan 2019 02:54:14 +0300

 On Wed, Dec 19, 2018 at 07:45:00 +0000, june@causal.agency wrote:

 > pad->cury and pad->curx get set in prefresh on refresh.c:485.
 > The LEAVEOK check above this seems inverted: the cursor position is
 > changed when LEAVEOK is *not* set.  The same appears in wrefresh.
 > The position calculation is copied from wrefresh and results in
 > coordinates outside of the pad bounds.

 No, the problem is that the window logic cannot be used for a pad as is.

 curscr->cury - win->begy is the offset from the beginning of the
 window.  The same code is used for the pad, but in pad's case the
 reference point should be sbegy and the result should be adjusted to
 take into account that sbegy is really pbegy.

 So it should be something like

     pad->cury = max(0, pbegy + (curscr->cury - sbegy));
     pad->curx = max(0, pbegx + (curscr->curx - sbegx));

 modulo more checks.  That doesn't crash, but it doesn't really do the
 right thing either b/c there's a probably a similar pad vs window
 problem elsewhere and we end up with wrong curscr->cury

 E.g. tweaking the test to be a bit more complex:

     WINDOW *pad = newpad(2, COLS);
     mvwaddstr(pad, 0, 0, "Hello\nWorld");
     prefresh(pad,
         1, 0,           /* pad start position */
         5, 0,           /* screen start position */
         5, COLS - 1);   /* screen limit */

     int y = -1, x = -1;
     getyx(pad, y, x);

 gives expected (1, 5) under ncurses but (0, 5) under netbsd with the
 above change (curscr->cury is 0, so a negative value is caught by the
 max), and the cursor is in the first line after the refresh, not the
 6th line.

 -uwe

From: "Valeriy E. Ushakov" <uwe@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/53801 CVS commit: src/lib/libcurses
Date: Sun, 6 Jan 2019 03:46:12 +0000

 Module Name:	src
 Committed By:	uwe
 Date:		Sun Jan  6 03:46:11 UTC 2019

 Modified Files:
 	src/lib/libcurses: refresh.c

 Log Message:
 prefresh - fix current position calculations

 The code was copy-pasted from wrefresh(), but for pads we need to
 adjust for (pbegy, pbegx).

 PR lib/53801


 To generate a diff of this commit:
 cvs rdiff -u -r1.102 -r1.103 src/lib/libcurses/refresh.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->pending-pullups
State-Changed-By: uwe@NetBSD.org
State-Changed-When: Sun, 06 Jan 2019 04:03:41 +0000
State-Changed-Why:
I've comitted the fix.  The follow-up commit also fixes the other problem
I've mentioned.


State-Changed-From-To: pending-pullups->needs-pullups
State-Changed-By: maya@NetBSD.org
State-Changed-When: Mon, 27 May 2019 14:37:00 +0000
State-Changed-Why:
Correct state for no pullup being filed.


>Unformatted:

Home	PR Database Search