Hi, * Craig Small <csm...@debian.org> [2011-03-07 10:49]: > On Sun, Mar 06, 2011 at 09:38:09PM +0100, Stefano Zacchiroli wrote: > > I'm not sure if the problem is in newsbeuter (e.g. using the lib in some > > unappropriate way which worked up to now) or in libncursesw5 (e.g. > > unexpected/ > > undeclared ABI change). I'm Cc:-ing the libncursesw5 maintainer with this > > bug > > report. > newsbeuter is calling stfl_ipool_fromwc() which is part of the stfl > package. It's dying between stfl and ncurses. > > stfl is a statically linked library
What do you mean?
file libstfl.so.0.21
libstfl.so.0.21: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV),
dynamically linked, stripped
> , recompiling stfl and linking
> newsbeuter to that library makes a working binary. You can never be 100%
> sure, but I don't think the problem lies with newsbeuter.
I also can't reproduce this problem with a recompiled version of ncurses.
So unfortunately a version of stfl with debug symbols doesn't help.
Looking at a version of newsbeuter with debug symbols I see this is dying as
follows:
#0 0x00007f66190ad5ce in stfl_style () from /usr/lib/libstfl.so.0
=> 0x00007f66190ad5ce <stfl_style+1318>: 4c 89 6f 10 mov QWORD PTR
[rdi+0x10],r13
By looking at the stfl source code as well as the object dump of the stfl
library
the problematic code is:
| stfl_colorpair_fg[i] = fg_color;
| stfl_colorpair_bg[i] = bg_color;
| stfl_colorpair_counter++;
| }
|
| wattrset(win, attr);
| wcolor_set(win, i, NULL);
This corresponds to the following assembler:
65a8: 8b 4d bc mov ecx,DWORD PTR [rbp-0x44]
65ab: 44 89 34 82 mov DWORD PTR [rdx+rax*4],r14d
65af: 48 8d 15 2a 62 20 00 lea rdx,[rip+0x20622a] # 20c7e0
<curses_active+0xc>
65b6: 89 0c 82 mov DWORD PTR [rdx+rax*4],ecx
65b9: 48 8b 05 00 5b 20 00 mov rax,QWORD PTR [rip+0x205b00]
# 20c0c0 <_fini+0x202318>
65c0: ff 00 inc DWORD PTR [rax]
65c2: 48 8b 7d b0 mov rdi,QWORD PTR [rbp-0x50]
65c6: 4d 63 ed movsxd r13,r13d
65c9: 0f bf f3 movsx esi,bx
65cc: 31 d2 xor edx,edx
65ce: 4c 89 6f 10 mov QWORD PTR [rdi+0x10],r13
65d2: e8 b9 cf ff ff call 3590 <wcolor_set@plt>
65c2-65ce should be code produced by the wattrset macro. gdb tells me:
(gdb) print $rdi
$1 = 0
so mov QWORD PTR [rdi+0x10],r13 results in an invalid write.
wattrset is defined as:
#define wattrset(win,at) ((win) \
? ((win)->_attrs = NCURSES_CAST(attr_t, at), \
OK) \
: ERR)
So QWORD PTR [rdi+0x10] should correspond to win->_attrs meaning that in this
case
win would be null.
How can this be? It is definitely no newsbeuter bug and I'm not sure if it
is an stfl bug to be honest.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
pgpHSOzu0j05x.pgp
Description: PGP signature
