Date: Sat, 18 Jun 2005 12:42:31 +0200 From: "Björn König" <bkoenig@cs.tu-berlin.de> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/82381: small bug in libedit might cause abnormal program termination Message-ID: <20050618104231.443E512B0E5@eurystheus.local> Resent-Message-ID: <200506181050.j5IAoFRF098955@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 82381 >Category: bin >Synopsis: small bug in libedit might cause abnormal program termination >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jun 18 10:50:15 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Björn König >Release: >Organization: >Environment: >Description: libedit covers several vi and emacs functions and stores descriptions about them in a structure called el_func_help which will be generated automatically. This structure is terminated by { NULL, 0, NULL } as customary to have an exit condition for use with loops. The problem is that the map_init function in lib/libedit/map.c do not respect this null-termination. It allocates memory for only N functions, but N+1 is necessary to include the termination. You'll get a segmentation fault in certain cases. >How-To-Repeat: Set a language explicitly if you don't have set any. > setenv LANG en_US.ISO8859-1 Run a shell with built-in emacs command line editor. > sh -E List all editor commands. $ bind -l 2>/dev/null Segmentation fault (core dumped) >Fix: --- libedit::map.c.diff begins here --- --- src/lib/libedit/map.c.orig Sat Jun 18 11:42:22 2005 +++ src/lib/libedit/map.c Sat Jun 18 12:00:08 2005 @@ -917,11 +917,11 @@ el->el_map.vic = el_map_vi_command; el->el_map.vii = el_map_vi_insert; el->el_map.help = (el_bindings_t *) el_malloc(sizeof(el_bindings_t) * - EL_NUM_FCNS); + (EL_NUM_FCNS + 1)); if (el->el_map.help == NULL) return (-1); (void) memcpy(el->el_map.help, help__get(), - sizeof(el_bindings_t) * EL_NUM_FCNS); + sizeof(el_bindings_t) * (EL_NUM_FCNS + 1)); el->el_map.func = (el_func_t *)el_malloc(sizeof(el_func_t) * EL_NUM_FCNS); if (el->el_map.func == NULL) --- libedit::map.c.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050618104231.443E512B0E5>