NetBSD Problem Report #54085
From dholland@macaran.eecs.harvard.edu Wed Mar 27 23:11:01 2019
Return-Path: <dholland@macaran.eecs.harvard.edu>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id EFA7D7A0D9
for <gnats-bugs@gnats.NetBSD.org>; Wed, 27 Mar 2019 23:11:00 +0000 (UTC)
Message-Id: <20190327231058.07E226E24F@macaran.eecs.harvard.edu>
Date: Wed, 27 Mar 2019 19:10:57 -0400 (EDT)
From: dholland@eecs.harvard.edu
Reply-To: dholland@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: curses crash with non-ascii on bottom line
X-Send-Pr-Version: 3.95
>Number: 54085
>Category: lib
>Synopsis: curses crash with non-ascii on bottom line
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: lib-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Mar 27 23:15:00 +0000 2019
>Closed-Date: Fri Mar 29 17:07:09 +0000 2019
>Last-Modified: Fri Mar 29 17:07:09 +0000 2019
>Originator: David Holland
>Release: NetBSD 8.99.36 (20190325)
>Organization:
>Environment:
System: NetBSD macaran 8.99.36 NetBSD 8.99.36 (MACARAN) #52: Mon Mar 25 18:43:37 EDT 2019 dholland@macaran:/usr/src/sys/arch/amd64/compile/MACARAN amd64
Architecture: x86_64
Machine: amd64
>Description:
The following program segfaults in curses. The crash occurs here:
Thread 2 received signal SIGSEGV, Segmentation fault.
0x00007d0062c1adbd in ?? () from /usr/lib/libcurses.so.7
(gdb) where
#0 0x00007d0062c1adbd in ?? () from /usr/lib/libcurses.so.7
#1 0x00007d0062c1c63e in doupdate () from /usr/lib/libcurses.so.7
#2 0x00007d0062c1de6d in wrefresh () from /usr/lib/libcurses.so.7
#3 0x0000000000400ccb in main () at curse.c:13
(gdb) x/i 0x00007d0062c1adbd
=> 0x7d0062c1adbd: mov (%rdx),%ecx
(gdb)
and "info registers" shows that %rdx contains 0xa5a5a5a5a5a5a5a5.
This is with the new jemalloc, which might or might not actually be
related.
>How-To-Repeat:
------ snip ------
#include <string.h>
#include <unistd.h>
#include <curses.h>
int main(void) {
initscr();
cbreak();
noecho();
nl();
clear();
move(LINES-1, 0); /* must be on last line */
addch(0x10); /* control characters or from 0x7f through 0xff */
refresh();
sleep(1);
endwin();
return 0;
}
------ snip ------
>Fix:
dunno.
>Release-Note:
>Audit-Trail:
From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: lib/54085: curses crash with non-ascii on bottom line
Date: Thu, 28 Mar 2019 06:50:56 -0000 (UTC)
dholland@eecs.harvard.edu writes:
>Thread 2 received signal SIGSEGV, Segmentation fault.
>0x00007d0062c1adbd in ?? () from /usr/lib/libcurses.so.7
>(gdb) where
>#0 0x00007d0062c1adbd in ?? () from /usr/lib/libcurses.so.7
>#1 0x00007d0062c1c63e in doupdate () from /usr/lib/libcurses.so.7
>#2 0x00007d0062c1de6d in wrefresh () from /usr/lib/libcurses.so.7
>#3 0x0000000000400ccb in main () at curse.c:13
>(gdb) x/i 0x00007d0062c1adbd
>=> 0x7d0062c1adbd: mov (%rdx),%ecx
>(gdb)
The crash happens when accessing
win->alines[H-1]->line[W]
and
scr->alines[H-1]->line[W]
respectively. Both use an out of range column index and reach
a guard area with the 0xa5 pattern.
This is caused by code in makech(). It maintains two pointers
nsp and csp that correspond to the line data at column wx.
wx is checked against the line width to avoid dereferencing
invalid pointers, but in lines 1350ff the pointers are
incremented (by 1) while the index is incremented by chw
which, for wide chars, is the result of a wcwidth() call
that may result in 0 or -1 for invalid byte sequences.
--
--
Michael van Elst
Internet: mlelstv@serpens.de
"A potential Snark may lurk in every tree."
From: Roy Marples <roy@marples.name>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: lib/54085: curses crash with non-ascii on bottom line
Date: Thu, 28 Mar 2019 16:58:45 +0000
This patch should solve the issue.
Let me know!
Roy
Index: refresh.c
===================================================================
RCS file: /cvsroot/src/lib/libcurses/refresh.c,v
retrieving revision 1.105
diff -u -p -r1.105 refresh.c
--- refresh.c 6 Jan 2019 04:27:53 -0000 1.105
+++ refresh.c 28 Mar 2019 16:57:08 -0000
@@ -1046,10 +1046,15 @@ putchbr(__LDATA *nsp, __LDATA *csp, __LD
* To do this, work out their widths.
* XXX This does not work when the bottom right corner is an
ACS. */
#ifdef HAVE_WCHAR
+ if (psp == NULL) /* Nothing to insert? */
+ return ERR;
cw = wcwidth(nsp->ch);
- pcw = psp == NULL ? 0 : wcwidth(psp->ch);
+ pcw = wcwidth(psp->ch);
+ /* Still need to output attributes. */
+ if (cw < 1)
+ cw = 1;
if (pcw < 1)
- return ERR; /* Nothing to insert */
+ pcw = 1;
/* When wide characters we need something other than
* insert_character. */
@@ -1318,6 +1323,8 @@ makech(int wy)
#ifdef HAVE_WCHAR
chw = wcwidth(nsp->ch);
+ if (chw < 1)
+ chw = 1; /* Still need to output
attributes. */
#else
chw = 1;
#endif /* HAVE_WCHAR */
From: Valery Ushakov <uwe@stderr.spb.ru>
To: gnats-bugs@netbsd.org
Cc: Roy Marples <roy@marples.name>
Subject: Re: lib/54085: curses crash with non-ascii on bottom line
Date: Fri, 29 Mar 2019 02:52:25 +0300
On Thu, Mar 28, 2019 at 17:00:03 +0000, Roy Marples wrote:
> This patch should solve the issue.
> Let me know!
It makes efence happy.
-uwe
From: "Roy Marples" <roy@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/54085 CVS commit: src/lib/libcurses
Date: Fri, 29 Mar 2019 16:56:58 +0000
Module Name: src
Committed By: roy
Date: Fri Mar 29 16:56:58 UTC 2019
Modified Files:
src/lib/libcurses: refresh.c
Log Message:
Use WCOL rather than wcwidth(3) as we should already know the width
during refresh.
Ensure the character width is not negative when advancing during refresh
(unlikely) and we actually have something to insert in the lower right
corner depending on terminal caps.
Fixes PR lib/54085
To generate a diff of this commit:
cvs rdiff -u -r1.105 -r1.106 src/lib/libcurses/refresh.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: roy@NetBSD.org
State-Changed-When: Fri, 29 Mar 2019 17:07:09 +0000
State-Changed-Why:
Fixed
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.