From owner-freebsd-bugs@FreeBSD.ORG Fri Feb 15 18:00:05 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F03116A419 for ; Fri, 15 Feb 2008 18:00:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E402D13C46A for ; Fri, 15 Feb 2008 18:00:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m1FI04cS018718 for ; Fri, 15 Feb 2008 18:00:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m1FI04Vf018717; Fri, 15 Feb 2008 18:00:04 GMT (envelope-from gnats) Date: Fri, 15 Feb 2008 18:00:04 GMT Message-Id: <200802151800.m1FI04Vf018717@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Jaakko Heinonen Cc: Subject: Re: bin/92074: top(1) aborts in redzone X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jaakko Heinonen List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2008 18:00:05 -0000 The following reply was made to PR bin/92074; it has been noted by GNATS. From: Jaakko Heinonen To: bug-followup@FreeBSD.org Cc: Subject: Re: bin/92074: top(1) aborts in redzone Date: Fri, 15 Feb 2008 19:52:31 +0200 --n8g4imXOkfNTN/H1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I can reproduce this bug. After a research I found three bugs from top(1): 1) Off-by-one error mentioned earlier in this PR. 2) In u_process bufferline is not NULL-terminated. It's later passed to strlen(3) in line_update(). 3) line_update() references an invalid memory location when display_width is 0 (terminal is one character wide). The attached patch should fix these. -- Jaakko --n8g4imXOkfNTN/H1 Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="top-resize-crash.diff" Index: display.c =================================================================== RCS file: /home/ncvs/src/contrib/top/display.c,v retrieving revision 1.10 diff -u -r1.10 display.c --- display.c 18 Jan 2008 01:43:13 -0000 1.10 +++ display.c 15 Feb 2008 12:36:03 -0000 @@ -139,7 +139,7 @@ } /* now, allocate space for the screen buffer */ - screenbuf = (char *)malloc(lines * display_width); + screenbuf = (char *)malloc(lines * display_width + 1); if (screenbuf == (char *)NULL) { /* oops! */ @@ -801,6 +801,7 @@ /* truncate the line to conform to our current screen width */ newline[display_width] = '\0'; + bufferline[display_width] = '\0'; /* is line higher than we went on the last display? */ if (line >= last_hi) @@ -1137,6 +1138,9 @@ fputs(new, debug); fputs("\n-\n", debug); #endif + + if (display_width < 1) + return; /* start things off on the right foot */ /* this is to make sure the invariants get set up right */ --n8g4imXOkfNTN/H1--