libcurses

matthew green Fri, 07 May 2021 21:29:14 -0700

Module Name:    src
Committed By:   mrg
Date:           Sat May  8 04:29:07 UTC 2021


Modified Files:
        src/lib/libcurses: refresh.c

Log Message:
avoid accessing stack garbage.

on arm64eb resuming vi(1) would often crash.  in makech(), the 'csp'
variable is either set to current window data, or a local stack
variable's address '&blank'.  the window data has many lines of info
stored, and 'csp++' is used per line here.  unfortunately, a case
existed where 'csp++' operated on csp initialised from '&blank' which
eventually crashes when, on my display with 160 columns and 'csp + 155'
exceeds the mapped stack and crashes.

match the '!_cursesi_screen->curwin' conditional that initialises csp,
and avoid csp++ here.  assert() that csp != &blank in both places that
modify csp.

thanks to jdc@ and mlelstv@.

XXX: possibly also should avoid the putch() here as well.


To generate a diff of this commit:
cvs rdiff -u -r1.112 -r1.113 src/lib/libcurses/refresh.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/lib/libcurses/refresh.c
diff -u src/lib/libcurses/refresh.c:1.112 src/lib/libcurses/refresh.c:1.113
--- src/lib/libcurses/refresh.c:1.112	Mon Feb 24 12:20:29 2020
+++ src/lib/libcurses/refresh.c	Sat May  8 04:29:07 2021
@@ -1,4 +1,4 @@
-/*	$NetBSD: refresh.c,v 1.112 2020/02/24 12:20:29 rin Exp $	*/
+/*	$NetBSD: refresh.c,v 1.113 2021/05/08 04:29:07 mrg Exp $	*/
 
 /*
  * Copyright (c) 1981, 1993, 1994
@@ -34,13 +34,14 @@
 #if 0
 static char sccsid[] = "@(#)refresh.c	8.7 (Berkeley) 8/13/94";
 #else
-__RCSID("$NetBSD: refresh.c,v 1.112 2020/02/24 12:20:29 rin Exp $");
+__RCSID("$NetBSD: refresh.c,v 1.113 2021/05/08 04:29:07 mrg Exp $");
 #endif
 #endif				/* not lint */
 
 #include <poll.h>
 #include <stdlib.h>
 #include <string.h>
+#include <assert.h>
 
 #include "curses.h"
 #include "curses_private.h"
@@ -1322,6 +1323,7 @@ makech(int wy)
 						csp->ch = (wchar_t)btowc((int)' ');
 						SET_WCOL( *csp, 1 );
 #endif /* HAVE_WCHAR */
+						assert(csp != &blank);
 						csp++;
 					}
 					return OK;
@@ -1368,7 +1370,10 @@ makech(int wy)
 			{
 				if (putch(nsp, csp, wy, wx) == ERR)
 					return ERR;
-				csp++;
+				if (!_cursesi_screen->curwin) {
+					assert(csp != &blank);
+					csp++;
+				}
 			} else {
 				putattr(nsp);
 				putattr_out(nsp);

CVS commit: src/lib/libcurses

Reply via email to