Dear Maintainer,
I tried to collect some more information about this issue.
With the help of rr-debugger I reached this function,
which "returns" a pointer to a static variable buf:
(rr) bt
#0 0x0000563a2b2373b6 in menuSize (options=<optimized out>, mode=<optimized
out>, width=0x7ffdd199be38, height=0x7ffdd199be3c) at ./whiptail.c:236
#1 guessSize (options=<optimized out>, text=<optimized out>, title=<optimized out>,
fullButtons=<optimized out>, flags=<synthetic pointer>, mode=<optimized out>, width=<synthetic
pointer>, height=<synthetic pointer>) at ./whiptail.c:262
#2 main (argc=<optimized out>, argv=<optimized out>) at ./whiptail.c:520
(rr) list 202,237
202 static int menuSize(int * height, int * width, enum mode mode,
203 poptContext options) {
204 const char ** argv = poptGetArgs(options);
205 const char ** items = argv;
206 int h = 0;
207 int tagWidth = 0;
208 int descriptionWidth = 0;
209 int overhead = 10;
210 static char buf[20];
211
...
232
233 h = min(h, SLtt_Screen_Rows - *height - 4);
234 *height = *height + h + 1;
235 sprintf(buf, "%d", h);
236 *items = buf; <<<<<<<<<
237 return 0;
(rr) print &buf
$7 = (char (*)[20]) 0x563a2b23b2c0 <buf>
A little later this pointer is attempted to be freed inside libpopt0:
(rr) bt
...
#5 0x00007f49c889322a in malloc_printerr (str=str@entry=0x7f49c89b41d0 "free():
invalid pointer") at ./malloc/malloc.c:5659
#6 0x00007f49c8894d6c in _int_free (av=<optimized out>, p=<optimized out>,
have_lock=have_lock@entry=0) at ./malloc/malloc.c:4434
#7 0x00007f49c88978df in __GI___libc_free (mem=<optimized out>) at
./malloc/malloc.c:3386
#8 0x00007f49c8fff829 in _free (p=<optimized out>) at ./src/poptint.h:22
#9 poptResetContext (con=<optimized out>) at ./src/popt.c:220
#10 poptResetContext (con=0x563a2cb8b440) at ./src/popt.c:202
#11 0x00007f49c9001635 in poptFreeContext (con=con@entry=0x563a2cb8b440) at
./src/popt.c:1531
#12 0x0000563a2b237071 in main (argc=<optimized out>, argv=<optimized out>)
at ./whiptail.c:628
...
(rr) print p
$1 = (const void *) 0x563a2b23b2c0 <buf>
...
(rr) print con->leftovers[3]
$3 = (poptString) 0x563a2b23b2c0 <buf> "3"
A package built with following modification,
to allocate memory that is freeable,
does no longer show this crash.
(While I have not further investigated,
if libpopt0 is supposed to free this pointer.)
--- newt-0.52.21.orig/whiptail.c
+++ newt-0.52.21/whiptail.c
@@ -207,7 +207,7 @@ static int menuSize(int * height, int *
int tagWidth = 0;
int descriptionWidth = 0;
int overhead = 10;
- static char buf[20];
+ char buf[20];
if ( argv == 0 || *argv == 0 )
return 0;
@@ -233,7 +233,7 @@ static int menuSize(int * height, int *
h = min(h, SLtt_Screen_Rows - *height - 4);
*height = *height + h + 1;
sprintf(buf, "%d", h);
- *items = buf;
+ *items = strdup(buf);
return 0;
}
Following Debian bug seems to mention similar issues in gdisk and svox:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941814
And libpopt0 upstream tracker sounds also related:
https://github.com/rpm-software-management/popt/issues/80
Kind regards,
Bernhard
