On Thu, Mar 12, 2026 at 09:46:19AM +0000, CHEN LINGFENG wrote: > Hello, > > I would like to report a bug in `tic` in ncurses 6.5.
6.6 is current. There's no patch level given in this report; 6.5 release was a while ago. > Reproducer: > > 1. Build ncurses with sanitizers enabled: > > `CC=clang` > `CFLAGS="-O1 -g -fno-omit-frame-pointer > -fsanitize=address,undefined,integer,bounds"` > `LDFLAGS="-fsanitize=address,undefined,integer,bounds"` > > 2. UBSan reports: There's no command-line or data given. Doing tic -x (with xterm-256color data) doesn't give me an issue with next_char. It reports an (expected) underflow on "if (len--)" line 142, but you're not talking about that. Perhaps it's system-dependent, or data-dependent. > `ncurses/tinfo/comp_scan.c:285:15: runtime error: addition of unsigned offset > to 0x619000000098 overflowed to 0x619000000097` > > Backtrace: > > #0 next_char() at ncurses/tinfo/comp_scan.c:285 > #1 eat_escaped_newline() at ncurses/tinfo/comp_scan.c:332 > #2 _nc_get_token() at ncurses/tinfo/comp_scan.c:441 > #3 _nc_parse_entry() at ncurses/tinfo/parse_entry.c:297 > #4 _nc_read_entry_source() at ncurses/tinfo/comp_parse.c:236 > #5 main() at progs/tic.c:983 > > Root cause: > > In `next_char()`, after leading whitespace is skipped, `strlen(bufptr)` can > become 0. > The code then evaluates `bufptr[len - 1]` in the loop condition, which > becomes `bufptr[-1]` when `len == 0`. > > Best regards, > Lingfeng Chen <https://aka.ms/GetOutlookForMac> -- Thomas E. Dickey <[email protected]> https://invisible-island.net
signature.asc
Description: PGP signature
