From owner-freebsd-bugs Thu Nov 23 17: 0:18 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id F14BE37B65F for ; Thu, 23 Nov 2000 17:00:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id RAA86723; Thu, 23 Nov 2000 17:00:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from segfault.kiev.ua (segfault.kiev.ua [193.193.193.4]) by hub.freebsd.org (Postfix) with ESMTP id 187D337B681 for ; Thu, 23 Nov 2000 16:55:32 -0800 (PST) Received: (from uucp@localhost) by segfault.kiev.ua (8) with UUCP id CVI14140; Fri, 24 Nov 2000 02:55:24 +0200 (EET) (envelope-from netch@iv.nn.kiev.ua) Received: (from netch@localhost) by iv.nn.kiev.ua (8.11.1/8.11.1) id eAO0s3503800; Fri, 24 Nov 2000 02:54:03 +0200 (EET) (envelope-from netch) Message-Id: <200011240054.eAO0s3503800@iv.nn.kiev.ua> Date: Fri, 24 Nov 2000 02:54:03 +0200 (EET) From: netch@netch.kiev.ua (Valentin Nechayev) Reply-To: netch@netch.kiev.ua To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: gnu/23058: ncurses: tgoto_internal() ugliness Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 23058 >Category: gnu >Synopsis: ncurses: tgoto_internal() ugliness >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 23 17:00:01 PST 2000 >Closed-Date: >Last-Modified: >Originator: Valentin Nechayev >Release: FreeBSD 5.0(13)-CURRENT-20001111 i386 >Organization: private >Environment: System: FreeBSD iv.nn.kiev.ua 5.0(13)-CURRENT-20001111 FreeBSD 5.0(13)-CURRENT-20001111 #4: Tue Nov 21 21:24:34 EET 2000 root@iv.nn.kiev.ua:/usr/obj/usr/HEAD/src/sys/nn13 i386 >Description: ncurses (v.5.1 of 20001009) in FreeBSD-current (version is specified above) have ugly tgoto_internal() function (file src/contrib/ncurses/ncurses/tinfo/lib_tgoto.c) which cannot deal properly with string with length 0. screen (3.9.8 from ports 3 hours ago) calls tgoto() with such empty string in CPutStr(). Repeated situation is running mutt (the popular text mode mail user agent) with threaded grouping of letters in mailbox in screen's virtual terminal. Following is diagnostics log. Core file (to generate, set kern.sugid_coredump to 1): -rw------- 1 netch wheel 479232 Nov 24 00:59 screen.dbg.2704.core (gdb) bt #0 0x281521fc in kill () from /usr/lib/libc.so.4 #1 0x28190f26 in abort () from /usr/lib/libc.so.4 #2 0x804cced in CoreDump (sigsig=11) at screen.c:1413 #3 0xbfbfffac in ?? () #4 0x280c658d in tgoto () from /usr/lib/libncurses.so.5 #5 0x80809e8 in CPutStr (s=0x8094f4e "", c=48) at display.c:902 #6 0x80831cc in SetFont (new=48) at display.c:1789 #7 0x8083582 in SetRendition (mc=0x80ba324) at display.c:1855 #8 0x808c374 in LSetRendition (l=0x80b800c, r=0x80ba324) at layer.c:507 #9 0x8052f06 in DesignateCharset (c=48, n=0) at ansi.c:1517 #10 0x8051966 in DoESC (c=48, intermediate=40) at ansi.c:943 #11 0x8050788 in WriteString (wp=0x80b8000, buf=0xbfbfe295 "\e[?25l\e[1;1H\e[7m\e[37m\e[40m---Mutt: /var/mail/netch 599 K [Msgs:56 New:24 Post:5]", '-' , "(39%)---\e[2;1H\e[m\e[37m\e [40m1 |\e[5C| Pavel Gulchouck\e[6C| Re: sendmail.cf.pl?\r\n2 |\e[5C| Valenti n Ne"..., len=1589) at ansi.c:546 #12 0x80689d5 in win_readev_fn (ev=0x80b8048, data=0x80b8000 "") at window.c:1768 #13 0x808e33e in sched () at sched.c:237 #14 0x804c78e in main (ac=0, av=0xbfbffb94) at screen.c:1255 #15 0x8049fb5 in _start () (gdb) f 5 #5 0x80809e8 in CPutStr (s=0x8094f4e "", c=48) at display.c:902 902 tputs(tgoto(s, 0, c), 1, DoAddChar); (gdb) p s $1 = 0x8094f4e "" (gdb) p c $2 = 48 (gdb) p DoAddChar $3 = {int (int)} 0x8080918 (gdb) f 4 #4 0x280c658d in tgoto () from /usr/lib/libncurses.so.5 (gdb) info f 4 Stack frame at 0xbfbfe0ec: eip = 0x280c658d in tgoto; saved eip 0x80809e8 called by frame at 0xbfbfe118, caller of frame at 0xbfbfe0bc Arglist at 0xbfbfe0ec, args: Locals at 0xbfbfe0ec, Previous frame's sp is 0x0 Saved registers: ebx at 0xbfbfe0d4, ebp at 0xbfbfe0ec, esi at 0xbfbfe0d8, edi at 0xbfbfe0dc, eip at 0xbfbfe0f0 (gdb) x/w 0xbfbfe0f4 0xbfbfe0f4: 0x08094f4e (gdb) x/c 0x08094f4e 0x8094f4e : 0 '\000' (gdb) x/w 0xbfbfe0f8 0xbfbfe0f8: 0 '\000' (gdb) x/w 0xbfbfe0fc 0xbfbfe0fc: 48 '0' e.g., string=="", x==0, y==48 (gdb) disas 0x280c658d Dump of assembler code for function tgoto: 0x280c6554 : push %ebp 0x280c6555 : mov %esp,%ebp 0x280c6557 : sub $0xc,%esp 0x280c655a : push %edi 0x280c655b : push %esi 0x280c655c : push %ebx 0x280c655d : call 0x280c6562 0x280c6562 : pop %ebx 0x280c6563 : add $0x2e112,%ebx 0x280c6569 : mov 0x8(%ebp),%esi (%esi <- string) 0x280c656c : mov 0x10(%ebp),%edi (%edi <- y) 0x280c656f : add $0xfffffff4,%esp 0x280c6572 : push %esi (string) 0x280c6573 : call 0x280c6044 <_nc_lib_traceatr+8> (is_termcap(string).) 0x280c6578 : add $0x10,%esp 0x280c657b : test %al,%al 0x280c657d : je 0x280c6590 0x280c657f : add $0xfffffffc,%esp 0x280c6582 : push %edi (y) 0x280c6583 : mov 0xc(%ebp),%eax 0x280c6586 : push %eax (x) 0x280c6587 : push %esi (string) 0x280c6588 : call 0x280c6088 <_nc_lib_traceatr+76> (tgoto_internal(string,x,y)) ---Type to continue, or q to quit--- 0x280c658d : jmp 0x280c659e The bad function is tgoto_internal(). In case when string is empty, local variables "result" and "length" keep garbage; code as "strcpy(result + used, BC);" and "result[used] = '\0';" breaks program consistence. >How-To-Repeat: See Description >Fix: tgoto_internal() should check situation when after string parsing cycle, result is NULL yet. I propose --- lib_tgoto.c.orig Wed Oct 11 10:30:24 2000 +++ lib_tgoto.c Fri Nov 24 02:47:45 2000 @@ -168,6 +168,8 @@ } string++; } + if (!result) + return NULL; if (need_BC) { strcpy(result + used, BC); used += strlen(BC); but I don't sure of my deep understanding of curses work. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message