[screen-devel] [bug #68360] Off-by-one bug in src/resize.c:CheckMaxSize() causes heap OOB on resize

Mon, 18 May 2026 03:44:38 -0700 

URL:
  <https://savannah.gnu.org/bugs/?68360>

                 Summary: Off-by-one bug in src/resize.c:CheckMaxSize() causes
heap OOB on resize
                   Group: GNU Screen
               Submitter: pdey
               Submitted: Mon 18 May 2026 10:43:46 AM UTC
                Category: Crash/Freeze/Infloop
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Unlocked
                 Release: 5.0.1
           Fixed Release: None
         Planned Release: None
           Work Required: None


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Mon 18 May 2026 10:43:46 AM UTC By: Peter Dey <pdey>
A bug was reported in Debian #1117241 (https://bugs.debian.org/1117241)
describing a crash after resizing the terminal window.

Further investigation with ASan revealed an off-by-one bug in CheckMaxSize():
the early-return condition is inconsistent with the buffer sizing.

Reported behaviour observed:
- master-process aborts during/after terminal resize (I cannot reproduce
this)
- core dump mentioning corrupted size vs. prev_size

Current code in src/resize.c:

if (wi > MAXWIDTH)
    wi = MAXWIDTH;
if (wi <= maxwidth)
    return;
maxwidth = wi + 1;

I believe that final check: 
    if (wi <= maxwidth)
should be
    if (wi < maxwidth)

If wi == maxwidth, reallocation is skipped even though required capacity is wi
+ 1.

A patch was supplied to Debian (edited) - attached here.






    _______________________________________________________
File Attachments:

Fix off-by-one maxwidth check

Name: fix-checkmaxsize-off-by-one.patch Size: 485B

<https://file.savannah.gnu.org/file/fix-checkmaxsize-off-by-one.patch?file_id=58626>



    AGPL NOTICE

These attachments are served by Savane. You can download the corresponding
source code of Savane at
https://savannah.gnu.org/source/savane-c36938be85ff6c1b727bc7dd7fd30e48f9142870.tar.gz

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?68360>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

Attachment: signature.asc
Description: PGP signature

Reply via email to