[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

possible heap overrun in tparm

From: Sergei Ivanov
Subject: possible heap overrun in tparm
Date: Thu, 12 Oct 2000 14:05:26 +0400 (MSD)

Hello ncurses maintainers,

In ncurses-5.1, it seems there that there is a tiny chance of heap overrun
(off-by-one) in tparm (ncurses/tinfo/lib_tparm.c).

Near the end of tparam_internal(), it does
        out_buff[out_used] = '\0'
But it is not guaranteed that thare are out_used+1 bytes allocated
in out_buff. If the last operation was save_char() - which calls
get_space(1) - it may happen that out_used==out_size-1 before
the call to save_char() and therefore out_used==out_size after the call.
(Other save_xxx() funtions in the module are ok.) Right?

This gets fixed if you either call get_space(2) is save_char(),
or call get_space(1) before the offending operator.
The patch below does the second thing, and also makes tparm()
consistently call _nc_err_abort() in all no-memory cases
(because get_space() does this).

--- lib_tparm.c.-1      Sun Jun  6 04:04:55 1999
+++ lib_tparm.c Thu Oct 12 13:53:53 2000
@@ -562,8 +562,7 @@
        } /* endwhile (*string) */
-       if (out_buff == 0 && (out_buff = typeCalloc(char,1)) == NULL)
-               return(NULL);
+       get_space(1);
        out_buff[out_used] = '\0';
        T((T_RETURN("%s"), _nc_visbuf(out_buff)));

reply via email to

[Prev in Thread] Current Thread [Next in Thread]