Package: dialog Version: 1.3-20201126-1 Severity: normal
Dear Maintainer, There is a segfault bug in the editbox widget. Specifically, the dialog can segfault when typing a line that is longer than the --max-input. Steps to reproduce: 1. Run: touch /tmp/foo && dialog --max-input 10 --editbox /tmp/foo 18 80 2. Type a very long string. In my system, it suffices to type a 40-character string. The root cause of this bug seems to be a heap buffer overflow in the editbox input buffer. The buffer overflow seems in turn to originate in this line in dlg_editbox(): 644 strncpy(buffer, input, max_len - 1)[max_len - 1] = '\0'; If the length of the string in the buffer and the cursor position (i.e., *chr_offset) are both equal to max_len, setting buffer[max_len - 1] to \0 reduces the string length by one. This causes the cursor position to exceed the string length. Since dlg_edit_string() checks only the string length and not the cursor position, this leads eventually to buffer overflow when typing new characters in the same line. Note that this bug seems to be the same with the one reported a couple of years ago here: https://lists.gnu.org/archive/html/bug-ncurses/2019-06/msg00001.html -- System Information: Debian Release: 9.13 APT prefers stable APT policy: (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-91-generic (SMP w/4 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages dialog depends on: ii debianutils 4.8.1.1 ii libc6 2.31-13+deb11u2 ii libncursesw6 6.2+20201114-2 ii libtinfo6 6.2+20201114-2 dialog recommends no packages. dialog suggests no packages. -- no debconf information