Re: Critical bug in ncurses 6.0

[Thomas Dickey]

On Fri, Jun 26, 2015 at 03:47:44PM +0200, Johannes Schindelin wrote:
> Hi ncurses maintainers,
> 
> I believe I found a really awful bug in ncurses 6.0-20150613: when

for the record, it's still a pre-release (thanks for the feedback)

> TERM is set to a value that does not correspond to a subdirectory in
> /usr/share/terminfo/??/.
> 
> The reason is that the `drv_CanHandle()` function in
> `ncurses/tinfo/tinfo_driver.c` wants to return a `bool`, but reuses
> the `ret_error*()` functions from `ncurses/curses.priv.h` that
> returns `ERR` which is (-1) and is mapped to `TRUE`!!!
> 
> As a consequence, the driver is used by mistake in
> `_nc_get_driver()` in `ncurses/base/lib_driver.c` and uses `free()`d
> data (by continuing to use the `termp` variable that no longer
> points at allocated memory!).
> 
> This causes a crash in Git for Windows 2.x (which I am maintaining)
> when calling Bash with an unknown `TERM` value.
> 
> Please consider the following patch, which is also available on
> GitHub (because my mail program will most likely corrupt the patch): 
> https://raw.githubusercontent.com/git-for-windows/MSYS2-packages/fix-ncurses-crash/ncurses/0001-CRITICAL-fix-return-value-of-drv_CanHandle-on-unknow.patch
> 
> -- snipsnap --
> From 41f152b6e8bea7e92be960158ef4bd9df34dd8a0 Mon Sep 17 00:00:00 2001
> From: Johannes Schindelin <address@hidden>
> Date: Fri, 26 Jun 2015 13:19:49 +0000
> Subject: [PATCH] CRITICAL: fix return value of drv_CanHandle on unknown
>  terminal
> 
> By mistake, the 5.9 -> 6.0 patches tried to reuse the `ret_error*()`
> functions in both lib_driver.c and tinfo_driver.c. However, in the
...

I see that was from

20110813
        + double-check gn (generic) flag in terminal descriptions to
          accommodate old/buggy termcap databases which misused that feature.
 
-- 
Thomas E. Dickey <address@hidden>
http://invisible-island.net
ftp://invisible-island.net

signature.asc
Description: Digital signature