##Summary
A global buffer overflow exists in tparam_internal() when processing a
malformed terminfo source file. The function writes 4 bytes out of bounds into
a global redzone, located 24 bytes after the _nc_globals structure and 8 bytes
before _nc_prescreen, due to an out‑of‑range index while parsing a
parameterized string capability.
##Vulnerability Details
**Program**: tic (from ncurses)
**Version**: 6.6
**Crash Type**: global-buffer-overflow (ASan)
**Root Cause**: tparam_internal() accesses an array or buffer using an index
derived from malformed terminfo data (e.g., an invalid parameter count or
format specifier). The index exceeds the allocated bounds of the global data
structure, causing a 4‑byte write into a redzone area between two global
variables, leading to memory corruption.
##ASAN report
=================================================================
==3390180==ERROR: AddressSanitizer: global-buffer-overflow on address
0x56335fdf32b8 at pc 0x56335fd6686e bp 0x7ffde4ce3770 sp 0x7ffde4ce3760
WRITE of size 4 at 0x56335fdf32b8 thread T0
#0 0x56335fd6686d in tparam_internal ../ncurses/./tinfo/lib_tparm.c:863
#1 0x56335fd6e7df in _nc_tiparm ../ncurses/./tinfo/lib_tparm.c:1393
#2 0x56335fd760e3 in set_attribute_9 ../ncurses/./tinfo/trim_sgr0.c:117
#3 0x56335fd76c90 in _nc_trim_sgr0 ../ncurses/./tinfo/trim_sgr0.c:309
#4 0x56335fd504b3 in fmt_entry ../progs/dump_entry.c:1089
#5 0x56335fd52e3d in dump_entry ../progs/dump_entry.c:1557
#6 0x56335fd37f8e in main ../progs/tic.c:1063
#7 0x7fd56f02a1c9 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#8 0x7fd56f02a28a in __libc_start_main_impl ../csu/libc-start.c:360
#9 0x56335fd33e44 in _start
(/home/xmut/wyf/LLM-optionFuzz/benchlatest/ncurses-asan/ncurses-6.6/progs/tic+0x38e44)
(BuildId: 86e96ddefde07521953ce00114ad9dfc6b31ad04)
0x56335fdf32b8 is located 24 bytes after global variable '_nc_globals' defined
in '../ncurses/./tinfo/lib_data.c:119:37' (0x56335fdf30c0) of size 480
0x56335fdf32b8 is located 8 bytes before global variable '_nc_prescreen'
defined in '../ncurses/./tinfo/lib_data.c:236:39' (0x56335fdf32c0) of size 656
SUMMARY: AddressSanitizer: global-buffer-overflow
../ncurses/./tinfo/lib_tparm.c:863 in tparam_internal
Shadow bytes around the buggy address:
0x56335fdf3000: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x56335fdf3080: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x56335fdf3100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x56335fdf3180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x56335fdf3200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x56335fdf3280: 00 00 00 00 f9 f9 f9[f9]00 00 00 00 00 00 00 00
0x56335fdf3300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x56335fdf3380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x56335fdf3400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x56335fdf3480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x56335fdf3500: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3390180==ABORTING
###Root Cause
1.tic processes a malformed terminfo source file containing numerous syntax
errors, including invalid capability names, missing separators, and illegal
characters.
2.During the output formatting stage, fmt_entry() calls _nc_trim_sgr0() to
normalize the sgr0 (exit attribute) capability, which in turn invokes
_nc_tiparm() and eventually tparam_internal() to expand parameterized strings.
3.The malformed input causes tparam_internal() to compute an out‑of‑bounds
index while accessing an internal array (likely the parameter stack or a buffer
used for variable substitution). The index is derived from the malformed
string's format specifiers (e.g., %p, %9, %|, etc.), which are not properly
validated.
4.This results in a 4‑byte write at an address that lies in the global redzone
between _nc_globals (size 480) and _nc_prescreen (starting at offset 512). The
ASAN shadow byte at that location is f9 (global redzone), confirming the
overflow.
###Vulnerable Code (lib_tparm.c:863)
```c
npush(tps, (int) data->param[i]);
```
##Proof of Concept
**PoC File**: tic_global_buffer_overflow
https://github.com/raind20001020/Poc/blob/main/tic_global_buffer_overflow
**Reproduction**:
``bash
tic -C -a -o /tmp/output_dir tic_global_buffer_overflow
```
## Credit
Yufeng Wu、Zhijie Zhang、Qizhen Xu
tic_global_buffer_overflow
Description: Binary data
