Dear Screen Maintainers,

I have identified a null pointer dereference vulnerability in GNU Screen 5.0.0, 
located in source file src/layout.c inside function CreateLayout().

Test Environment Info (required by official bug reporting rules):
 Screen Version: 5.0.0
 Operating System: Linux
 Compiler: GCC

Vulnerability Overview:
 In function CreateLayout(), the program calls calloc() to allocate Layout 
structure memory for pointer lay.
 The returned pointer is used directly without NULL verification after calloc 
allocation.
 When system memory is exhausted and calloc returns NULL, accessing structure 
members via the null pointer will trigger program segmentation fault and crash.

This flaw can be triggered intentionally by continuous memory allocation calls 
to exhaust system RAM, leading to local denial-of-service attacks.

Vulnerability Type: CWE-476 NULL Pointer Dereference
 Risk: Repeated triggering leads to program abnormal exit, bringing Slow DoS 
risk.

A complete vulnerability analysis report and patch suggestion are attached.
 This is a private responsible disclosure. I will not publish any vulnerability 
details before you release an official fix.

Please verify this issue. Looking forward to your reply and CVE assignment.

Best regards,
 Ao Xijie

Attachment: layout.c_Screen5.0.0_Null_Deref_Report.md
Description: Binary data

Reply via email to