NetBSD Problem Report #42646

From www@NetBSD.org  Wed Jan 20 00:36:39 2010
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 1A29463C2BC
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 20 Jan 2010 00:36:39 +0000 (UTC)
Message-Id: <20100120003638.AEC3D63C2A9@www.NetBSD.org>
Date: Wed, 20 Jan 2010 00:36:38 +0000 (UTC)
From: joachim.kuebart@gmail.com
Reply-To: joachim.kuebart@gmail.com
To: gnats-bugs@NetBSD.org
Subject: Shell crashes in libedit when window size changes (SIGWINCH)
X-Send-Pr-Version: www-1.0

>Number:         42646
>Category:       lib
>Synopsis:       Shell crashes in libedit when window size changes (SIGWINCH)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jan 20 00:40:00 +0000 2010
>Closed-Date:    Wed Jan 20 09:05:38 +0000 2010
>Last-Modified:  Wed Jan 20 09:05:38 +0000 2010
>Originator:     Joachim Kuebart
>Release:        NetBSD-current
>Organization:
>Environment:
NetBSD yacht 5.99.23 NetBSD 5.99.23 (YACHT) #1: Mon Jan 18 07:35:40 GMT 2010  joki@yacht:/usr/obj/amd64.new/usr/src/sys/arch/amd64/compile/YACHT amd64

>Description:
When /bin/sh is sent a signal that interrupts the current read() system call with errno=EINTR, it does a memcpy() with length -1 and receives a SIGSEGV.
>How-To-Repeat:
Send a SIGWINCH signal to a /bin/sh instance, either using
  kill -winch $$
or by changing the window size of an X terminal.
The shell is terminated by SIGSEGV.

>Fix:
This happens because libedit's el_gets() does not honour its contract of returning NULL in case of an error (like an interrupted system call EINTR). The following patch modifies el_gets() to return NULL when the underlying el_wgets() returned NULL. It uses the fact that ct_encode_string() returns NULL when it is passed a NULL argument.

Index: eln.c
===================================================================
RCS file: /pub/NetBSD-CVS/src/lib/libedit/eln.c,v
retrieving revision 1.4
diff -p -U8 -r1.4 eln.c
--- eln.c	12 Jan 2010 19:40:50 -0000	1.4
+++ eln.c	20 Jan 2010 00:29:22 -0000
@@ -67,20 +67,22 @@ el_push(EditLine *el, const char *str)
 	 * character sets too, and Does The Right Thing. */
 	el_wpush(el, ct_decode_string(str, &el->el_lgcyconv));
 }


 public const char *
 el_gets(EditLine *el, int *nread)
 {
+	const wchar_t *tmp;
+
 	el->el_flags |= IGNORE_EXTCHARS;
-	el_wgets(el, nread);
+	tmp = el_wgets(el, nread);
 	el->el_flags &= ~IGNORE_EXTCHARS;
-	return ct_encode_string(el->el_line.buffer, &el->el_lgcyconv);
+	return ct_encode_string(tmp, &el->el_lgcyconv);
 }


 public int
 el_parse(EditLine *el, int argc, const char *argv[])
 {
 	int ret;
 	const wchar_t **wargv;

>Release-Note:

>Audit-Trail:
From: Christos Zoulas <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/42646 CVS commit: src/lib/libedit
Date: Tue, 19 Jan 2010 20:15:52 -0500

 Module Name:	src
 Committed By:	christos
 Date:		Wed Jan 20 01:15:52 UTC 2010

 Modified Files:
 	src/lib/libedit: eln.c

 Log Message:
 PR/42646: Joachim Kuebart: Shell crashes in libedit when window size changes
 (SIGWINCH). Return NULL if el_gets() gets interrupted.


 To generate a diff of this commit:
 cvs rdiff -u -r1.5 -r1.6 src/lib/libedit/eln.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Wed, 20 Jan 2010 09:05:38 +0000
State-Changed-Why:
christos committed the patch.


>Unformatted:

Home	PR Database Search