[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
waddnstr accesses extra byte after allocated memory
|
From: |
Sergey Poznyakoff |
|
Subject: |
waddnstr accesses extra byte after allocated memory |
|
Date: |
Fri, 31 Jan 2025 15:52:51 +0100 |
|
User-agent: |
MH (GNU Mailutils 3.17.90) |
Hello,
It appears that commit 42259b594 introduced a mild bug to
waddnstr. It changed the loop condition from
while ((n-- > 0) && (*str != '\0')) {
to
while ((*str != '\0') && (n-- > 0)) {
As a consequence, an extra byte beyond the end of the passed
string is accessed prior to checking if it should be.
That doesn't harm the functionality, of course, but makes
memory checking tools unnecessarily noisy. For example,
running the attached simple program under valgrind produces
the following:
==10856== Invalid read of size 1
==10856== at 0x48873E9: waddnstr (in /lib64/libncurses.so.6.3)
==10856== by 0x4011B9: main (in /home/gray/tmp/a.out)
==10856== Address 0x4abe041 is 0 bytes after a block of size 1 alloc'd
==10856== at 0x483F7C5: malloc (vg_replace_malloc.c:381)
==10856== by 0x40116E: main (in /home/gray/tmp/a.out)
Reverting the condition to its state before 42259b594 fixes
the problem.
Regards,
Sergey
#include <stdlib.h>
#include <ncurses.h>
#include <assert.h>
int
main(int argc, char **argv)
{
char *a = malloc(1);
assert(a != NULL);
a[0] = 'a';
initscr();
waddnstr(stdscr, a, 1);
endwin();
}
- waddnstr accesses extra byte after allocated memory,
Sergey Poznyakoff <=