Hi,
the bug exists because screen's "struct action" provides no explicit way
to store the number of arguments, and doing
bind u digraph U+
results in act->args being allocated for two "char *"s (including a
terminating NULL), but act->argl only for one int... by the way, both
allocations I'm talking about (process.c:4698):
if ((pp = (char **)malloc((unsigned)(argc + 1) * sizeof(char **))) == 0)
Panic(0, "%s", strnomem);
if ((lp = (int *)malloc((unsigned)(argc) * sizeof(int *))) == 0)
Panic(0, "%s", strnomem);
should have a '*' less in the sizeof(), we're allocating room for ints, not
for pointers.
Anyway, DoAction() finally checks in the RC_DIGRAPH case (process.c:3858):
if (argl && argl[0] > 0 && argl[1] > 0)
And as argl[] is only one member wide, the final "argl[1]" could be anything;
and apparently on x86 we're just lucky that it's indeed 0. (If it's not, then
the following code will try to dereference args[1], which is the terminating
NULL that was placed earlier.)
Quick fix for users: initialize argl[1] by instead doing
bind u digraph U+ ""
Suggested code fix: RC_DIGRAPH should probably check that args[1] != NULL
before checking argl[1] > 0 (because the latter is meaningless without the
former, as discussed).
Jan
--
Jan Nordholz <jnordh...@sec.t-labs.tu-berlin.de>
Security in Telecommunications <fgsect.de>
TU Berlin / Telekom Innovation Laboratories
Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany
phone: +49 30 8353 58663
