screen-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[screen-devel] [bug #46401] Global out of bounds read in termcap.c due t

From: anonymous
Subject: [screen-devel] [bug #46401] Global out of bounds read in termcap.c due to wrong loop
Date: Sun, 08 Nov 2015 19:03:45 +0000
User-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.16 Safari/537.36 
URL:
  <http://savannah.gnu.org/bugs/?46401>

                 Summary: Global out of bounds read in termcap.c due to wrong
loop
                 Project: GNU Screen
            Submitted by: None
            Submitted on: Sun 08 Nov 2015 07:03:44 PM UTC
                Category: Program Logic
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
                 Release: None
           Fixed Release: None
         Planned Release: None
           Work Required: None

    _______________________________________________________

Details:

I tested screen with the compiler feature Address Sanitizer
(-fsanitize=address in CFLAGS/LDFLAGS). When running screen on a real Linux
console (not in an X terminal) it didn't start due to an error.

The error can't be seen directly because screen disables stderr, to reproduce
it one can use ASAN_OPTIONS="log_path=[somepath]".

The problem is this code in termcap.c:
                s =
"l+m+k+j+u+t+v+w+q-x|n+o~s_p\"r#`+a:f'g#~o.v-^+<,>h#I#0#y<z>";
                for (i = strlen(s) & ~1; i >= 0; i -= 2)
                        D_c0_tab[(int)(unsigned char)s[i]] = s[i + 1];

The loop will start right of the string s. One needs to substract 2 from
strlen(s) for the code to be correct. Right after that is a loop with the same
logic, so the same fix should be applied. I will attached a patch that fixes
both.

Will also attach the address sanitizer error message.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Sun 08 Nov 2015 07:03:44 PM UTC  Name: screen-fix-oob.diff  Size: 616B  
By: None

<http://savannah.gnu.org/bugs/download.php?file_id=35419>
-------------------------------------------------------
Date: Sun 08 Nov 2015 07:03:44 PM UTC  Name: screen-asan-error.10850  Size:
2kB   By: None

<http://savannah.gnu.org/bugs/download.php?file_id=35420>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?46401>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]