screen-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[screen-devel] [bug #58259] Memory corruption by terminfo


From: Scott Shambarger
Subject: [screen-devel] [bug #58259] Memory corruption by terminfo
Date: Fri, 11 Feb 2022 23:22:16 -0500 (EST)

Follow-up Comment #2, bug #58259 (project screen):

Finally had a chance to take a look at this one... found the source of the
problem:

termcap.c:156
        case T_STR:
          D_tcs[i].str = e_tgetstr(term[i].tcname, &tp);

tgetstr(), the tp buffer is expected to have 1024, but tp is advanced on
return... and there's no check on overflow when called repeatedly.  If the
source is termcap, a 1024 buffer is fine as that's the standard termcap size
limit anyway... with a terminfo source, the limit is really T_STR(1024) * T_N
entries... unlikely, but quite legal.

There's a function called t_agetstr which handles (re)allocation of the
buffer, but may not be available on all platforms.

A portable solution would be to pass NULL as tp and then copy the return value
to a realloc'd buffer locally sized to handle the value.

Using TERMCAP_BUFSIZE for tp is really not correct here (regardless of value).
 I could supply a patch to handle a realloc buffer solution, unless someone
has a better solution?


    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?58259>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]