[screen-devel] [bug #50197] out of bounds write when dimensions are stil

screen-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[screen-devel] [bug #50197] out of bounds write when dimensions are stil

From:	anonymous
Subject:	[screen-devel] [bug #50197] out of bounds write when dimensions are still 0, 0
Date:	Tue, 31 Jan 2017 13:59:12 +0000 (UTC)
User-agent:	Mozilla/5.0 (X11; Linux i686 on x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

URL:
  <http://savannah.gnu.org/bugs/?50197>

                 Summary: out of bounds write when dimensions are still 0, 0
                 Project: GNU Screen
            Submitted by: None
            Submitted on: Tue 31 Jan 2017 01:59:11 PM UTC
                Category: Crash/Freeze/Infloop
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 4.4.0
           Fixed Release: None
         Planned Release: None
           Work Required: None

    _______________________________________________________

Details:

Program received signal SIGSEGV, Segmentation fault.
0x080510da in MFixLine (address@hidden, address@hidden,
address@hidden) at ansi.c:2371
2371    ansi.c: No such file or directory.
(gdb) bt
#0  0x080510da in MFixLine (address@hidden, address@hidden,
address@hidden) at ansi.c:2371
#1  0x08051a7a in MPutChar (p=0x80cb2d8, c=0x80cd830, x=-1, y=-1) at
ansi.c:2723
#2  0x08057e61 in WriteString (wp=0x0, buf=0xffb8c453 "\033[1;27H\r\n",
len=175) at ansi.c:869
#3  0x08067868 in win_readev_fn (ev=0x80cb2e4, data=0x80cb2d8 "") at
window.c:1942
#4  0x08090630 in sched () at sched.c:237
#5  0x0804c463 in main (ac=<optimized out>, av=<optimized out>) at
screen.c:1487
(gdb) frame 0
#0  0x080510da in MFixLine (address@hidden, address@hidden,
address@hidden) at ansi.c:2371
2371      if (mc->attr && ml->attr == null)
(gdb) up
#1  0x08051a7a in MPutChar (p=0x80cb2d8, c=0x80cd830, x=-1, y=-1) at
ansi.c:2723
2723      MFixLine(p, y, c);
(gdb) up
#2  0x08057e61 in WriteString (wp=0x0, buf=0xffb8c453 "\033[1;27H\r\n",
len=175) at ansi.c:869
869                       MPutChar(curr, &curr->w_rend, curr->w_x,
curr->w_y);
(gdb) l 
864                           curr->w_x++;
865                         }
866                     }
867                   else if (curr->w_x == cols - 1)
868                     {
869                       MPutChar(curr, &curr->w_rend, curr->w_x,
curr->w_y);
870                       LPutChar(&curr->w_layer, &curr->w_rend, curr->w_x,
curr->w_y);
871                       if (curr->w_wrap)
872                         curr->w_x++;
873                     }
(gdb) p cols
$3 = 0
(gdb) p rows
$4 = 0

As one can see rows/cols are both 0 valued but are used for range index
computations. It seems when a screen is started in detached mode those
variables are never set to reasonable values (like 25, 80).
Above source code is actually from 4.2.1 as it was easier in Debian to
retrieve the source from that version, yet the error also occurs in 4.4.0.

Reproduce:
Terminal 1:
$ xxd bad_sequence 
00000000: 1b5b 721b 5b6d 1b5b 324a 1b5b 481b 5b3f  .[r.[m.[2J.[H.[?
00000010: 3768 1b5b 3f31 3b33 3b34 3b36 6c1b 5b3b  7h.[?1;3;4;6l.[;
00000020: 481b 5b32 4a00 0000 0000 0000 0000 0000  H.[2J...........
00000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000050: 0000 0000 0000 001b 5b3b 481b 5b32 4a00  ........[;H.[2J.
00000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000090: 001b 5b3b 376d 1b28 301b 5b31 3b31 3048  ..[;7m.(0.[1;10H
000000a0: 0000 0000 0078 1b5b 313b 3237 480a       .....x.[1;27H.
$ screen -d -m bash -c 'sleep 10; cat bad_sequence; sleep 999'
Terminal 2 ("continue" in gdb and wait for the crash in less than 10 seconds)
$ gdb -p $(pgrep  screen)



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Tue 31 Jan 2017 01:59:11 PM UTC  Name: bad_sequence  Size: 174B   By:
None

<http://savannah.gnu.org/bugs/download.php?file_id=39625>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?50197>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[screen-devel] [bug #50197] out of bounds write when dimensions are still 0, 0, anonymous <=

Prev by Date: Re: [screen-devel] [bug #50089] Screen 4.5.0 doesn't build on SunOS
Previous by thread: [screen-devel] Trying to build screen
Index(es):
- Date
- Thread