Bug: heap-buffer-overflow of function one_one_mapping

[address@hidden]

Hi,

    I have found some crashes about infotocap using fuzzing. 

    I can verify this crash on ncurses latest snapshot label v6_1_20191005.

## heap-buffer-overflow, one_one_mapping, progs/dump_entry.c:1373, ncurses 6.1
POC: https://github.com/zjuchenyuan/fuzzpoc/raw/master/infotocap_poc1
```
# ./infotocap -o /dev/null infotocap_poc1
==34599==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c00000ff4e at pc 0x000000440933 bp 0x7ffffffeb1f0 sp 0x7ffffffeb1e0
READ of size 1 at 0x61c00000ff4e thread T0
    #0 0x440932 in one_one_mapping ../progs/dump_entry.c:1373
    #1 0x440932 in purged_acs ../progs/dump_entry.c:1399
    #2 0x440932 in dump_entry ../progs/dump_entry.c:1561
    #3 0x405006 in main ../progs/tic.c:1035
    #4 0x7ffff6ac082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x408b98 in _start (/d/p/cveasan/infotocap+0x408b98)
0x61c00000ff4e is located 0 bytes to the right of 1742-byte region [0x61c00000f880,0x61c00000ff4e)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x4f492c in _nc_wrap_entry ../ncurses/./tinfo/alloc_entry.c:177
    #2 0x62100001a4ff  (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../progs/dump_entry.c:1373 one_one_mapping
Shadow bytes around the buggy address:
  0x0c387fff9f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c387fff9fe0: 00 00 00 00 00 00 00 00 00[06]fa fa fa fa fa fa
  0x0c387fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c387fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c387fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c387fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c387fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==34599==ABORTING
```
corresponding source code:
```
1366 static bool
1367 one_one_mapping(const char *mapping)
1368 {
1369     bool result = TRUE;
1370
1371     if (VALID_STRING(mapping)) {
1372         int n = 0;
1373         while (mapping[n] != '\0') {
1374             if (isLine(mapping[n]) &&
1375                 mapping[n] != mapping[n + 1]) {
1376                 result = FALSE;
1377                 break;
1378             }
1379             n += 2;
1380         }
1381     }
1382     return result;
1383 }
```

Reproducible Docker image has been pushed to `zjuchenyuan/dockerized_poc:ncurses`, Dockerfile:

```

FROM zjuchenyuan/afl

ENV AFL_USE_ASAN=1 ASAN_OPTIONS="detect_leaks=0"
RUN git clone https://github.com/ThomasDickey/ncurses-snapshots &&\
    cd ncurses-snapshots &&\
    git checkout 8805e9e &&\
    ./configure --disable-shared &&\
    make -j &&\
    cp ./progs/tic /tmp/infotocap

RUN git clone https://github.com/zjuchenyuan/fuzzpoc
RUN /tmp/infotocap fuzzpoc/infotocap_poc1 || exit 0

```

---

zjuchenyuan