From owner-freebsd-bugs  Sat Jun 16 23: 0:21 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id B720B37B407
	for <freebsd-bugs@hub.freebsd.org>; Sat, 16 Jun 2001 23:00:02 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.3/8.11.3) id f5H602r53134;
	Sat, 16 Jun 2001 23:00:02 -0700 (PDT)
	(envelope-from gnats)
Received: from D00015.dialonly.kemerovo.su (www2.svzserv.kemerovo.su [213.184.65.86])
	by hub.freebsd.org (Postfix) with ESMTP id 2F41437B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 16 Jun 2001 22:51:54 -0700 (PDT)
	(envelope-from eugen@D00015.dialonly.kemerovo.su)
Received: (from eugen@localhost)
	by D00015.dialonly.kemerovo.su (8.11.3/8.11.3) id f5H5oP807363;
	Sun, 17 Jun 2001 13:50:25 +0800 (KRAST)
	(envelope-from eugen)
Message-Id: <200106170550.f5H5oP807363@D00015.dialonly.kemerovo.su>
Date: Sun, 17 Jun 2001 13:50:25 +0800 (KRAST)
From: Eugene Grosbein <eugen@grosbein.pp.ru>
Reply-To: eugen@grosbein.pp.ru
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.113
Subject: bin/28221: dialog(1) segfaults (due to the bug in libdialog?)
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         28221
>Category:       bin
>Synopsis:       dialog(1) segfaults (due to the bug in libdialog?)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 16 23:00:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Eugene Grosbein
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
ISP Svyaz-Service
>Environment:
System: FreeBSD 4.3-STABLE #4: Wed Jun 6 21:57:52 KRAST 2001 

>Description:

dialog(1) segfaults with incorrect parameters
due to the lack of checks in it or /usr/src/gnu/lib/libdialog/menubox.c.
Precisely, there is a code about line 450 of menubox.c:

/*
 * Print menu item
 */
static void
print_item(WINDOW *win, unsigned char *tag, unsigned char *item, int choice, int selected, dialogMenuItem *me, int menu_width, int tag_x, int item_x)
{
    int i;
    
    /* Clear 'residue' of last item */
    wattrset(win, menubox_attr);
    wmove(win, choice, 0);
    for (i = 0; i < menu_width; i++)
	waddch(win, ' ');
    wmove(win, choice, tag_x);
    wattrset(win, selected ? tag_key_selected_attr : tag_key_attr);
    waddch(win, tag[0]);
                ^^^^^^ when tag==NULL, dialog(1) segfaults
>How-To-Repeat:
Type:
	dialog --menu "" 15 40 "" "" off

Now press 'Down' arrow key and dialog segfaults

Here is gdb(1) output:

# gdb `which dialog` dialog.core
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by Wialog'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libdialog.so.4...done.
Reading symbols from /usr/lib/libncurses.so.5...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x28070ce6 in print_item (win=0x8050400, tag=0x0,
    item=0xbfbffc6f "MACHTYPE=i386", choice=1, selected=1, me=0x0,
    menu_width=34, tag_x=14, item_x=16)
    at /usr/src/gnu/lib/libdialog/menubox.c:450
450         waddch(win, tag[0]);
(gdb) bt
#0  0x28070ce6 in print_item (win=0x8050400, tag=0x0,
    item=0xbfbffc6f "MACHTYPE=i386", choice=1, selected=1, me=0x0,
    menu_width=34, tag_x=14, item_x=16)
    at /usr/src/gnu/lib/libdialog/menubox.c:450
#1  0x28070762 in dialog_menu (title=0x0, prompt=0xbfbffc62 "", height=15,
    width=40, menu_height=0, cnt=1, it=0xbfbffb68, result=0xbfbff2fc "",
    ch=0x0, sc=0x0) at /usr/src/gnu/lib/libdialog/menubox.c:300
#2  0x80490d6 in main (argc=8, argv=0xbfbffb50)
    at /usr/src/gnu/usr.bin/dialog/dialog.c:262
#3  0x80489ed in _start ()

>Fix:
Perhaps, add some checks? I have no experience with ncurses.
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message