Hi, I found two bugs in ncurses infotocap. Here are the reports: Report1: global-buffer-overflow in tparam_internal ncurses-6.5-20250503/ncurses/tinfo/lib_tparm.c:863:4
### Environment:
Distributor ID: Ubuntu
Description: Ubuntu 24.04.1 LTS
Release: 24.04
### Compiler:
Ubuntu clang version 14.0.6
Target: x86_64-pc-linux-gnu
Thread model: posix
### Compiling:
```bash
CFLAGS="-fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer -g"
CXXFLAGS="-fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer -g"
./configure
make
```
### Version:
ncurses-6.5-20250503
### PoCfile:
Unzip poc.zip.
### Behavior:
```bash
./infotocap -o /dev/null poc/ncurses_000.poc
```
Output:
```
==3276519==ERROR: AddressSanitizer: global-buffer-overflow on address
0x5555557602f8 at pc 0x5555556ad1fe bp 0x7ffffffe1a10 sp 0x7ffffffe1a08
WRITE of size 4 at 0x5555557602f8 thread T0
#0 0x5555556ad1fd in tparam_internal
/home/exp/src/ncurses/ncurses-6.5-20250503/ncurses/tinfo/lib_tparm.c:863:4
#1 0x5555556ae77b in _nc_tiparm
/home/exp/src/ncurses/ncurses-6.5-20250503/ncurses/tinfo/lib_tparm.c:1393:15
#2 0x5555556b67a0 in set_attribute_9
/home/exp/src/ncurses/ncurses-6.5-20250503/ncurses/tinfo/trim_sgr0.c:117:13
#3 0x5555556b5d64 in _nc_trim_sgr0
/home/exp/src/ncurses/ncurses-6.5-20250503/ncurses/tinfo/trim_sgr0.c:309:13
#4 0x555555694421 in fmt_entry
/home/exp/src/ncurses/ncurses-6.5-20250503/progs/dump_entry.c:1089:22
#5 0x555555699494 in dump_entry
/home/exp/src/ncurses/ncurses-6.5-20250503/progs/dump_entry.c:1557:10
#6 0x555555684acf in main
/home/exp/src/ncurses/ncurses-6.5-20250503/progs/tic.c:1063:7
#7 0x7ffff7c2a1c9 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#8 0x7ffff7c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#9 0x5555555c34e4 in _start (/home/exp/bin/asan_ubsan/infotocap+0x6f4e4)
(BuildId: fdd1f41deec1e579af30ce5b63f67afa87f54f4d)
0x5555557602f8 is located 8 bytes to the left of global variable
'_nc_prescreen' defined in
'/home/exp/src/ncurses/ncurses-6.5-20250503/ncurses/tinfo/lib_data.c:236:39'
(0x555555760300) of size 656
0x5555557602f8 is located 88 bytes to the right of global variable
'_nc_globals' defined in
'/home/exp/src/ncurses/ncurses-6.5-20250503/ncurses/tinfo/lib_data.c:119:37'
(0x5555557600c0) of size 480
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/exp/src/ncurses/ncurses-6.5-20250503/ncurses/tinfo/lib_tparm.c:863:4 in
tparam_internal
Shadow bytes around the buggy address:
0x0aab2aae4000: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0aab2aae4010: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0aab2aae4020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2aae4030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2aae4040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0aab2aae4050: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]
0x0aab2aae4060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2aae4070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2aae4080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2aae4090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2aae40a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3276519==ABORTING
```
Report2:
heap-buffer-overflow in _nc_infotocap
ncurses-6.5-20250503/ncurses/tinfo/captoinfo.c:646:9
### Environment:
Distributor ID: Ubuntu
Description: Ubuntu 24.04.1 LTS
Release: 24.04
### Compiler:
Ubuntu clang version 14.0.6
Target: x86_64-pc-linux-gnu
Thread model: posix
### Compiling:
```bash
CFLAGS="-fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer -g"
CXXFLAGS="-fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer -g"
./configure
make
```
### Version:
lua 5.5.0
### PoCfile:
Unzip poc.zip.
### Behavior:
```bash
./infotocap -o /dev/null poc/ncurses_001.poc
```
Output:
```
==3336405==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60e0000002df at pc 0x5555556bd296 bp 0x7ffffffe1d10 sp 0x7ffffffe1d08
READ of size 1 at 0x60e0000002df thread T0
#0 0x5555556bd295 in _nc_infotocap
/home/exp/src/ncurses/ncurses-6.5-20250503/ncurses/tinfo/captoinfo.c:646:9
#1 0x55555569446c in fmt_entry
/home/exp/src/ncurses/ncurses-6.5-20250503/progs/dump_entry.c:1121:20
#2 0x555555699494 in dump_entry
/home/exp/src/ncurses/ncurses-6.5-20250503/progs/dump_entry.c:1557:10
#3 0x555555684acf in main
/home/exp/src/ncurses/ncurses-6.5-20250503/progs/tic.c:1063:7
#4 0x7ffff7c2a1c9 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#5 0x7ffff7c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#6 0x5555555c34e4 in _start (/home/exp/bin/asan_ubsan/infotocap+0x6f4e4)
(BuildId: fdd1f41deec1e579af30ce5b63f67afa87f54f4d)
0x60e0000002df is located 1 bytes to the left of 152-byte region
[0x60e0000002e0,0x60e000000378)
allocated by thread T0 here:
#0 0x55555564731a in __interceptor_realloc
(/home/exp/bin/asan_ubsan/infotocap+0xf331a) (BuildId:
fdd1f41deec1e579af30ce5b63f67afa87f54f4d)
#1 0x5555556a10da in _nc_doalloc
/home/exp/src/ncurses/ncurses-6.5-20250503/ncurses/tinfo/doalloc.c:54:21
#2 0x5555556bd81b in _nc_tic_expand
/home/exp/src/ncurses/ncurses-6.5-20250503/ncurses/tinfo/comp_expand.c:86:16
#3 0x55555569410a in fmt_entry
/home/exp/src/ncurses/ncurses-6.5-20250503/progs/dump_entry.c:1115:18
#4 0x555555699494 in dump_entry
/home/exp/src/ncurses/ncurses-6.5-20250503/progs/dump_entry.c:1557:10
#5 0x555555684acf in main
/home/exp/src/ncurses/ncurses-6.5-20250503/progs/tic.c:1063:7
#6 0x7ffff7c2a1c9 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#7 0x7ffff7c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#8 0x5555555c34e4 in _start (/home/exp/bin/asan_ubsan/infotocap+0x6f4e4)
(BuildId: fdd1f41deec1e579af30ce5b63f67afa87f54f4d)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/exp/src/ncurses/ncurses-6.5-20250503/ncurses/tinfo/captoinfo.c:646:9 in
_nc_infotocap
Shadow bytes around the buggy address:
0x0c1c7fff8000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1c7fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c1c7fff8020: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff8030: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
0x0c1c7fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1c7fff8050: fd fd fd fa fa fa fa fa fa fa fa[fa]00 00 00 00
0x0c1c7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c1c7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3336405==ABORTING
```
<<attachment: poc.zip>>
