[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] Incorrect bounds check in wredrawln
|
From: |
David A Benjamin |
|
Subject: |
[PATCH] Incorrect bounds check in wredrawln |
|
Date: |
Wed, 28 Apr 2010 19:05:14 -0400 (EDT) |
|
User-agent: |
Alpine 1.10 (DEB 962 2008-03-14) |
The function wredrawln attempts to check for off-screen windows to avoid
buffer overflow, however it fails to take window offset into account
misses several problems.
Here are two sample programs that test this.
http://web.mit.edu/davidben/Public/curses_x.c
http://web.mit.edu/davidben/Public/curses_y.c
Not every stray write appears to result in a segfault. (On my machine,
curses_y 1 manages, but curses_x seems to escape notice.) Valgrind can
catch the stray writes more accurately.
Here is a patch that should apply to ncurses-5.7-20100424
- David Benjamin
diff --git a/ncurses/base/lib_redrawln.c b/ncurses/base/lib_redrawln.c
index 5696205..b550287 100644
--- a/ncurses/base/lib_redrawln.c
+++ b/ncurses/base/lib_redrawln.c
@@ -66,14 +66,14 @@ wredrawln(WINDOW *win, int beg, int num)
returnCode(ERR);
end = beg + num;
- if (end > CurScreen(sp)->_maxy + 1)
- end = CurScreen(sp)->_maxy + 1;
+ if (end > CurScreen(sp)->_maxy + 1 - win->_begy)
+ end = CurScreen(sp)->_maxy + 1 - win->_begy;
if (end > win->_maxy + 1)
end = win->_maxy + 1;
len = (win->_maxx + 1);
- if (len > (size_t) (CurScreen(sp)->_maxx + 1))
- len = (size_t) (CurScreen(sp)->_maxx + 1);
+ if (len > (size_t) (CurScreen(sp)->_maxx + 1 - win->_begx))
+ len = (size_t) (CurScreen(sp)->_maxx + 1 - win->_begx);
len *= sizeof(CurScreen(sp)->_line[0].text[0]);
for (i = beg; i < end; i++) {
- [PATCH] Incorrect bounds check in wredrawln,
David A Benjamin <=