bug-readline
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-readline] heap-buffer-overflow in update_line

From: Chet Ramey
Subject: Re: [Bug-readline] heap-buffer-overflow in update_line
Date: Thu, 16 May 2019 16:50:41 -0400
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 
On 5/8/19 4:10 PM, Tom de Vries wrote:
> Hi,
> 
> when:
> - building trunk gdb (using the readline sources in the binutils-gdb.git
>   repo) on openSUSE 15.0 x86_64-linux with -fsanitize=address, and:
> - running gdb tests with "export ASAN_OPTIONS=detect_leaks=0",
> I run into a heap-buffer-overflow failure for
> gdb.base/utf8-identifiers.exp, reported as PR gdb/24514 -
> "heap-buffer-overflow in update_line for utf8-identifiers.exp"  at
> https://sourceware.org/bugzilla/show_bug.cgi?id=24514 .

                        [...]

> which triggers without needing the address sanitizer, like this:
> ...
> $ TERM=dumb gdb -q -ex "set width 0"
> gdb: /home/vries/readline/src/display.c:1393: rl_redisplay: Assertion
> `last_lmargin + (_rl_screenwidth + visible_wrap_offset) <= line_size'
> failed.
> Aborted (core dumped)

This looks like the same problem as described in

http://lists.gnu.org/archive/html/bug-readline/2019-03/msg00001.html

In this case, gdb sets the screen width to 32766, which is obviously
bonkers on a dumb terminal. Gdb should pass -1 to rl_set_screen_size
so readline doesn't override the number of columns on the physical
terminal.

I can look at making the redisplay code more resilent in the face of
huge values, but I'm sure there are a few places where it makes some
assumptions.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    address@hidden    http://tiswww.cwru.edu/~chet/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]