fix for free() of unitialized variable

bug-ncurses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

fix for free() of unitialized variable

From:	Todd C. Miller
Subject:	fix for free() of unitialized variable
Date:	Fri, 20 Oct 2000 09:35:18 -0600

Just got this PR in yesterday, the included patch seems correct.

 - todd

------- Forwarded Message

Return-Path: address@hidden
Delivery-Date: Thu, 19 Oct 2000 20:04:30 -0600
Received: from openbsd.cs.colorado.edu (openbsd.cs.colorado.edu 
[128.138.192.83])
        by xerxes.courtesan.com (8.10.1/8.10.1) with ESMTP id e9K24Ta14401
        for <address@hidden>; Thu, 19 Oct 2000 20:04:30 -0600 (MDT)
Received: from localhost (address@hidden)
        by openbsd.cs.colorado.edu (8.10.1/8.10.1) with SMTP id e9K20Mg24817;
        Thu, 19 Oct 2000 20:00:22 -0600 (MDT)
Received: by openbsd.org (TLB v0.11a (1.26 tibbs 1998/09/22 04:41:41)); Thu, 19 
Oct 2000 20:00:18 -0600 (MDT)
Received: (from address@hidden)
        by openbsd.cs.colorado.edu (8.10.1/8.10.1) id e9K20F010689
        for bugs-list; Thu, 19 Oct 2000 20:00:15 -0600 (MDT)
Received: from mroe.cs.colorado.edu (mroe-fs.cs.colorado.edu [128.138.242.197])
        by openbsd.cs.colorado.edu (8.10.1/8.10.1) with ESMTP id e9K20Dm12135
        for <address@hidden>; Thu, 19 Oct 2000 20:00:13 -0600 (MDT)
Received: from cvs.openbsd.org (IDENT:address@hidden [199.185.137.3])
        by mroe.cs.colorado.edu (8.10.1/8.10.1) with ESMTP id e9K207N27777
        for <address@hidden>; Thu, 19 Oct 2000 20:00:07 -0600 (MDT)
Received: (from address@hidden)
        by cvs.openbsd.org (8.10.1/8.10.1) id e9K202V04249;
        Thu, 19 Oct 2000 20:00:02 -0600 (MDT)
Resent-Date: Thu, 19 Oct 2000 20:00:02 -0600 (MDT)
Resent-Message-Id: <address@hidden>
Resent-From: address@hidden (GNATS Management)
Resent-To: address@hidden
Resent-Reply-To: address@hidden, address@hidden
Received: from openbsd.cs.colorado.edu (openbsd.cs.colorado.edu 
[128.138.192.83])
        by cvs.openbsd.org (8.10.1/8.10.1) with ESMTP id e9K1w0f07564
        for <address@hidden>; Thu, 19 Oct 2000 19:58:00 -0600 (MDT)
Received: from aragorn.guenther.procmail.org (tcsndslgw3poola25.tcsn.uswest.net 
[63.227.92.25])
        by openbsd.cs.colorado.edu (8.10.1/8.10.1) with ESMTP id e9K1vxm04740
        for <address@hidden>; Thu, 19 Oct 2000 19:58:00 -0600 (MDT)
Received: (from address@hidden)
        by aragorn.guenther.procmail.org (8.10.1/8.10.1) id e9K1t7a28353
        for address@hidden; Thu, 19 Oct 2000 18:55:07 -0700 (MST)
Message-Id: <address@hidden>
Date: Thu, 19 Oct 2000 18:51:26 -0700 (MST)
From: address@hidden
Reply-To: address@hidden
To: address@hidden
Subject: library/1463: tgetent() calls free() on uninitialized variable
Sender: address@hidden
Precedence: bulk
X-Loop: address@hidden


>Number:         1463
>Category:       library
>Synopsis:       tgetent() calls free() on unitialized variable
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Oct 19 20:00:02 MDT 2000
>Last-Modified:
>Originator:     Philip Guenther
>Organization:
net
>Release:        OPENBSD_2_7
>Environment:
        System      : OpenBSD 2.7
        Architecture: OpenBSD.i386
        Machine     : i386
        Library     : libcurses
>Description:
        The library internal function _nc_tgetent() function passes the
        address of an unitialized variable, 'dummy', to the function
        _nc_cgetent(), then calls free() on the variable if its non-zero.
        However, _nc_cgetent() doesn't alter that variable on failure,
        leaving it uninitialized.

        _nc_tgetent() needs to either initialize the variable to 0/NULL
        (that's what the included patch does), or only free it if
        _nc_cgetent() succeeds.  The former seems more robust as it'll
        correctly handle partial success by _nc_cgetent().

>How-To-Repeat:
        Link the following against libcurses.  When run it'll generate the
        warning:
            foo in free(): warning: junk pointer, too high to make sense.
                #include <curses.h>
                #include <term.h>

                void put_garbage_on_stack(void)
                {
                    int buffer[16*1024], i;
                    for (i = 0; i < 16*1024; i++) {
                        buffer[i] = 0xdeadbeef;
                    }
                }

                int main(void)
                {
                    put_garbage_on_stack();
                    tgetent("", "screen.xterm");
                    return 0;
                }

>Fix:
Index: lib/libcurses/tinfo/read_termcap.c
===================================================================
RCS file: /cvs/src/lib/libcurses/tinfo/read_termcap.c,v
retrieving revision 1.8.2.1
diff -c -r1.8.2.1 read_termcap.c
*** lib/libcurses/tinfo/read_termcap.c  2000/10/10 15:33:04     1.8.2.1
- --- lib/libcurses/tinfo/read_termcap.c        2000/10/20 01:32:12
***************
*** 771,777 ****
  
      register char *p;
      register char *cp;
!     char *dummy;
      char **fname;
      char *home;
      int i;
- --- 771,777 ----
  
      register char *p;
      register char *cp;
!     char *dummy = NULL;
      char **fname;
      char *home;
      int i;

>Audit-Trail:
>Unformatted:


------- End of Forwarded Message

[Prev in Thread]

Current Thread

[Next in Thread]

fix for free() of unitialized variable, Todd C. Miller <=

Prev by Date: ospeed interface change
Next by Date: ncurses-5.2-20001021.patch.gz
Previous by thread: ospeed interface change
Next by thread: ncurses-5.2-20001021.patch.gz
Index(es):
- Date
- Thread