Greetings,
Recent changes to lib/libterminfo and usr.bin/tic make tic crash on
out-of-boundary memory access.
(this is on macOS):
tools.i386/bin/nbtic -Sx src/share/terminfo/terminfo
nbtic(86018,0x1187eedc0) malloc: Incorrect checksum for freed object
0x7fad17473290: probably modified after being freed.
Corrupt value: 0x700000000000ffff
nbtic(86018,0x1187eedc0) malloc: *** set a breakpoint in malloc_error_break to
debug
Abort
Backtrace:
frame #10: 0x0000000100002f33 nbtic`_ti_grow_tbuf(tbuf=0x0000000100406e58,
len=4) at compile.c:80:10
frame #11: 0x00000001000046e9 nbtic`_ti_compile(cap="\n\tpln@,
rs3=\\EwG\\Ee)$<200>, use=wy160,", flags=21) at compile.c:627:9
frame #12: 0x0000000100001a53 nbtic`process_entry(buf=0x00007ffeefbff868,
flags=21) at tic.c:181:8
frame #13: 0x00000001000016f4 nbtic`main(argc=3, argv=0x00007ffeefbff900) at
tic.c:553:4
This patch fixes the problem:
diff -u -r1.14 compile.c
--- lib/libterminfo/compile.c 13 Mar 2020 15:19:25 -0000 1.14
+++ lib/libterminfo/compile.c 27 Mar 2020 11:42:22 -0000
@@ -625,7 +625,7 @@
if (_ti_find_cap(&tic->nums, 'n', ind) != NULL)
continue;
if (_ti_grow_tbuf(&tic->nums,
- sizeof(uint16_t) * 2) == NULL)
+ sizeof(uint16_t) + sizeof(uint32_t)) ==
NULL)
goto error;
le16enc(tic->nums.buf + tic->nums.bufpos,
(uint16_t)ind);
OK to commit? :)
Kind regards,
Adam
