URL:
<http://savannah.gnu.org/bugs/?46401>
Summary: Global out of bounds read in termcap.c due to wrong
loop
Project: GNU Screen
Submitted by: None
Submitted on: Sun 08 Nov 2015 07:03:44 PM UTC
Category: Program Logic
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Release: None
Fixed Release: None
Planned Release: None
Work Required: None
_______________________________________________________
Details:
I tested screen with the compiler feature Address Sanitizer
(-fsanitize=address in CFLAGS/LDFLAGS). When running screen on a real Linux
console (not in an X terminal) it didn't start due to an error.
The error can't be seen directly because screen disables stderr, to reproduce
it one can use ASAN_OPTIONS="log_path=[somepath]".
The problem is this code in termcap.c:
s =
"l+m+k+j+u+t+v+w+q-x|n+o~s_p\"r#`+a:f'g#~o.v-^+<,>h#I#0#y<z>";
for (i = strlen(s) & ~1; i >= 0; i -= 2)
D_c0_tab[(int)(unsigned char)s[i]] = s[i + 1];
The loop will start right of the string s. One needs to substract 2 from
strlen(s) for the code to be correct. Right after that is a loop with the same
logic, so the same fix should be applied. I will attached a patch that fixes
both.
Will also attach the address sanitizer error message.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Sun 08 Nov 2015 07:03:44 PM UTC Name: screen-fix-oob.diff Size: 616B
By: None
<http://savannah.gnu.org/bugs/download.php?file_id=35419>
-------------------------------------------------------
Date: Sun 08 Nov 2015 07:03:44 PM UTC Name: screen-asan-error.10850 Size:
2kB By: None
<http://savannah.gnu.org/bugs/download.php?file_id=35420>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?46401>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
