From owner-freebsd-bugs@FreeBSD.ORG  Sat Jun 18 10:50:16 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1667E16A41C
	for <freebsd-bugs@hub.freebsd.org>;
	Sat, 18 Jun 2005 10:50:16 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DD47A43D1F
	for <freebsd-bugs@hub.freebsd.org>;
	Sat, 18 Jun 2005 10:50:15 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5IAoFph098957
	for <freebsd-bugs@freefall.freebsd.org>; Sat, 18 Jun 2005 10:50:15 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5IAoFRF098955;
	Sat, 18 Jun 2005 10:50:15 GMT (envelope-from gnats)
Resent-Date: Sat, 18 Jun 2005 10:50:15 GMT
Resent-Message-Id: <200506181050.j5IAoFRF098955@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
        Björn König <bkoenig@cs.tu-berlin.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2887916A41C
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 18 Jun 2005 10:44:06 +0000 (GMT)
	(envelope-from bkoenig@cs.tu-berlin.de)
Received: from mail.efacilitas.de (efacilitas.de [213.133.110.227])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AB07C43D48
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 18 Jun 2005 10:44:05 +0000 (GMT)
	(envelope-from bkoenig@cs.tu-berlin.de)
Received: from eurystheus.local (port-212-202-169-37.dynamic.qsc.de
	[212.202.169.37])
	by mail.efacilitas.de (Postfix) with ESMTP id 2855B123978
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 18 Jun 2005 12:42:28 +0200 (CEST)
Received: from localhost (eurystheus.local [192.168.1.67])
	by eurystheus.local (Postfix) with ESMTP id 2478D12B0E7
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 18 Jun 2005 12:42:36 +0200 (CEST)
Received: from eurystheus.local ([192.168.1.67])
	by localhost (eurystheus.locaL [192.168.1.67]) (amavisd-new, port 10024)
	with ESMTP id 83907-06 for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 18 Jun 2005 12:42:31 +0200 (CEST)
Received: from hoppel.local (eurystheus.local [192.168.1.67])
	by eurystheus.local (Postfix) with SMTP id 443E512B0E5
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 18 Jun 2005 12:42:31 +0200 (CEST)
Received: by hoppel.local (sSMTP sendmail emulation);
	Sat, 18 Jun 2005 12:42:31 +0200
Message-Id: <20050618104231.443E512B0E5@eurystheus.local>
Date: Sat, 18 Jun 2005 12:42:31 +0200
From: "Björn König" <bkoenig@cs.tu-berlin.de>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: bin/82381: small bug in libedit might cause abnormal program
	termination
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Björn König <bkoenig@cs.tu-berlin.de>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jun 2005 10:50:16 -0000


>Number:         82381
>Category:       bin
>Synopsis:       small bug in libedit might cause abnormal program termination
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 18 10:50:15 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Björn König
>Release:        
>Organization:
>Environment:
>Description:
	libedit covers several vi and emacs functions and stores
	descriptions about them in a structure called el_func_help
	which will be generated automatically. This structure is
	terminated by { NULL, 0, NULL } as customary to have an
   	exit condition for use with loops. The problem is that
	the map_init function in lib/libedit/map.c do not respect
	this null-termination. It allocates memory for only N
	functions, but N+1 is necessary to include the termination.
	You'll get a segmentation fault in certain cases.
	
>How-To-Repeat:
	Set a language explicitly if you don't have set any.

	   > setenv LANG en_US.ISO8859-1

	Run a shell with built-in emacs command line editor.

	   > sh -E

	List all editor commands.

	   $ bind -l 2>/dev/null
	   Segmentation fault (core dumped)

>Fix:

--- libedit::map.c.diff begins here ---
--- src/lib/libedit/map.c.orig	Sat Jun 18 11:42:22 2005
+++ src/lib/libedit/map.c	Sat Jun 18 12:00:08 2005
@@ -917,11 +917,11 @@
 	el->el_map.vic = el_map_vi_command;
 	el->el_map.vii = el_map_vi_insert;
 	el->el_map.help = (el_bindings_t *) el_malloc(sizeof(el_bindings_t) *
-	    EL_NUM_FCNS);
+	    (EL_NUM_FCNS + 1));
 	if (el->el_map.help == NULL)
 		return (-1);
 	(void) memcpy(el->el_map.help, help__get(),
-	    sizeof(el_bindings_t) * EL_NUM_FCNS);
+	    sizeof(el_bindings_t) * (EL_NUM_FCNS + 1));
 	el->el_map.func = (el_func_t *)el_malloc(sizeof(el_func_t) *
 	    EL_NUM_FCNS);
 	if (el->el_map.func == NULL)
--- libedit::map.c.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: