possible heap overrun in tparm

bug-ncurses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

possible heap overrun in tparm

From:	Sergei Ivanov
Subject:	possible heap overrun in tparm
Date:	Thu, 12 Oct 2000 14:05:26 +0400 (MSD)

Hello ncurses maintainers,

In ncurses-5.1, it seems there that there is a tiny chance of heap overrun
(off-by-one) in tparm (ncurses/tinfo/lib_tparm.c).

Near the end of tparam_internal(), it does
        out_buff[out_used] = '\0'
But it is not guaranteed that thare are out_used+1 bytes allocated
in out_buff. If the last operation was save_char() - which calls
get_space(1) - it may happen that out_used==out_size-1 before
the call to save_char() and therefore out_used==out_size after the call.
(Other save_xxx() funtions in the module are ok.) Right?

This gets fixed if you either call get_space(2) is save_char(),
or call get_space(1) before the offending operator.
The patch below does the second thing, and also makes tparm()
consistently call _nc_err_abort() in all no-memory cases
(because get_space() does this).
 
Regards,
Sergei

--- lib_tparm.c.-1      Sun Jun  6 04:04:55 1999
+++ lib_tparm.c Thu Oct 12 13:53:53 2000
@@ -562,8 +562,7 @@
                string++;
        } /* endwhile (*string) */
 
-       if (out_buff == 0 && (out_buff = typeCalloc(char,1)) == NULL)
-               return(NULL);
+       get_space(1);
        out_buff[out_used] = '\0';
 
        T((T_RETURN("%s"), _nc_visbuf(out_buff)));

[Prev in Thread]

Current Thread

[Next in Thread]

possible heap overrun in tparm, Sergei Ivanov <=
- Re: possible heap overrun in tparm, Thomas Dickey, 2000/10/12

Prev by Date: Patch to add libtool support
Next by Date: Re: Patch to add libtool support
Previous by thread: Patch to add libtool support
Next by thread: Re: possible heap overrun in tparm
Index(es):
- Date
- Thread