[screen-devel] [bug #58259] Memory corruption by terminfo

[Scott Shambarger]

Follow-up Comment #2, bug #58259 (project screen):

Finally had a chance to take a look at this one... found the source of the
problem:

termcap.c:156
        case T_STR:
          D_tcs[i].str = e_tgetstr(term[i].tcname, &tp);

tgetstr(), the tp buffer is expected to have 1024, but tp is advanced on
return... and there's no check on overflow when called repeatedly.  If the
source is termcap, a 1024 buffer is fine as that's the standard termcap size
limit anyway... with a terminfo source, the limit is really T_STR(1024) * T_N
entries... unlikely, but quite legal.

There's a function called t_agetstr which handles (re)allocation of the
buffer, but may not be available on all platforms.

A portable solution would be to pass NULL as tp and then copy the return value
to a realloc'd buffer locally sized to handle the value.

Using TERMCAP_BUFSIZE for tp is really not correct here (regardless of value).
 I could supply a patch to handle a realloc buffer solution, unless someone
has a better solution?


    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?58259>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/