Good Evening, I confirmed a stack overflow by compiling ncurses with ASAN enabled caused by the fact that wgetch() can write one byte past the stack buffer. I’d suggest fixing by allocating an extra byte for the terminator char buf[MAXCOLUMNS + 1].
I’m attaching a suggested patch along with a copy of the stack overflow. Full disclosure I’m currently building an open source bug and security vulnerability scanner called N184. N184 was used to find this bug. You can read more about N184 here: https://github.com/MillaFleurs/N184 Thank you! Dan ================================================================= ==55421==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016f94a967 at pc 0x0001004f7824 bp 0x00016f94a630 sp 0x00016f94a628 WRITE of size 1 at 0x00016f94a967 thread T0 #0 0x0001004f7820 in wgetnstr lib_getstr.c:194 #1 0x0001004f57b4 in recur_wgetnstr lib_getch.c:410 #2 0x0001004f40e8 in _nc_wgetch lib_getch.c:472 #3 0x0001004f6824 in wgetch lib_getch.c:670 #4 0x0001004b493c in main getch-poc.c:14 #5 0x00019f4c9d50 in start+0x1c0c (dyld:arm64e+0x8d50) Address 0x00016f94a967 is located in stack of thread T0 at offset 167 in frame #0 0x0001004f1fd8 in _nc_wgetch lib_getch.c:424 This frame has 1 object(s): [32, 167) 'buf' (line 462) <== Memory access at offset 167 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow lib_getstr.c:194 in wgetnstr Shadow bytes around the buggy address: 0x00016f94a680: 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 0x00016f94a700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00016f94a780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00016f94a800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00016f94a880: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 =>0x00016f94a900: 00 00 00 00 00 00 00 00 00 00 00 00[07]f3 f3 f3 0x00016f94a980: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 0x00016f94aa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00016f94aa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00016f94ab00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3 0x00016f94ab80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==55421==ABORTING
patch.diff
Description: Binary data
