CC'ing ncurses maintainer, it looks like the library might be at fault
here.
On 2018-05-15 03:05 +0900, nozzy123no...@gmail.com wrote:
> Package: f-irc
> Version: 1.36-1+b3
> Severity: serious
>
> Dear Maintainer,
>
> This version of f-irc always gets SEGV when TERM environmental
> variable set to xterm-256color ,which is default under gnome-terminal.
>
> However, when I set TERM to xterm,vt100 or kterm,f-irc seems to work
> well.
>
> Does anyone fix this problem?
No fix, but at least a backtrace in gdb:
,----
| Program received signal SIGSEGV, Segmentation fault.
| _nc_pair_content
(sp=0x5659daf0, pair=7353, f=0xffffd1a4, b=0xffffd1a8) at
../../ncurses/base/lib_color.c:942
| 942 int bg = BACK_OF(sp->_color_pairs[pair]);
| (gdb) bt full
| #0 _nc_pair_content (sp=0x5659daf0, pair=7353, f=0xffffd1a4, b=0xffffd1a8)
at ../../ncurses/base/lib_color.c:942
| fg = <error reading variable fg (Cannot access memory at address
0x56643004)>
| bg = <optimized out>
| result = 1449406468
| #1 0xf7f713de in pair_content_sp (sp=0x5659daf0, pair=7353, f=0xffffd216,
b=0xffffd218)
| at ../../ncurses/base/lib_color.c:972
| my_f = 0
| my_b = 0
| rc = <optimized out>
| #2 0xf7f7147a in pair_content (pair=7353, f=0xffffd216, b=0xffffd218) at
../../ncurses/base/lib_color.c:984
| No locals.
| #3 0x5657b88b in init_nick_colorpairs () at nickcolor.c:90
| pair = 7353
| cr = 680
| cg = 0
| cb = 680
| loop = 5
| fg = 0
| bg = 0
| fg_r = 255
| fg_g = 255
| fg_b = 255
| bg_r = 0
| bg_g = 0
| bg_b = 0
| #4 0x5655d7b3 in main (argc=1, argv=0xffffd394) at main.c:670
| config_loaded = -1
`----
To investigate the issue more closely, I set a breakpoint on
pair_content and used the "cont" command with some increments until I
got to the critical value of pair=7353. Then I single-stepped through
the code:
,----
| Breakpoint 1, pair_content (pair=7353, f=0xffffd216, b=0xffffd218) at
../../ncurses/base/lib_color.c:983
| 983 {
| (gdb) step
| 984 return NCURSES_SP_NAME(pair_content) (CURRENT_SCREEN, pair, f, b);
| (gdb) step
| pair_content_sp (sp=0x5659daf0, pair=7353, f=0xffffd216, b=0xffffd218) at
../../ncurses/base/lib_color.c:970
| 970 {
| (gdb) step
| 972 int rc = _nc_pair_content(SP_PARM, pair, &my_f, &my_b);
| (gdb) step
| 970 {
| (gdb) step
| 972 int rc = _nc_pair_content(SP_PARM, pair, &my_f, &my_b);
| (gdb) step
| _nc_pair_content (sp=0x5659daf0, pair=7353, f=0xffffd1a4, b=0xffffd1a8) at
../../ncurses/base/lib_color.c:929
| 929 {
| (gdb) step
| 938 if (!ValidPair(sp, pair)) {
| (gdb) step
| 941 int fg = FORE_OF(sp->_color_pairs[pair]);
| (gdb) step
| 951 if (f)
| (gdb) step
| 941 int fg = FORE_OF(sp->_color_pairs[pair]);
| (gdb) step
| 942 int bg = BACK_OF(sp->_color_pairs[pair]);
| (gdb) step
|
| Program received signal SIGSEGV, Segmentation fault.
| _nc_pair_content
(sp=0x5659daf0, pair=7353, f=0xffffd1a4, b=0xffffd1a8) at
../../ncurses/base/lib_color.c:942
| 942 int bg = BACK_OF(sp->_color_pairs[pair]);
`----
What is sp->_color_pairs[pair] ? It is not accessible:
,----
| (gdb) print sp->_color_pairs[pair]
| Cannot access memory at address 0x56643004
| (gdb) print sp->_color_pairs[pair-1]
| Cannot access memory at address 0x56643000
| (gdb) print sp->_color_pairs[pair-2]
| $1 = {fg = 0, bg = 0, mode = 0, prev = 0, next = 0}
`----
So it seems that the ncurses library did not allocate enough memory to
hold all the color pairs in sp->_color_pairs, resulting in the eventual
heap buffer overflow.
That's how far I have tracked the issue, hopefully Thomas Dickey can
investigate it further and even provide a fix.
Cheers,
Sven
