URL:
<https://savannah.gnu.org/bugs/?54644>
Summary: crash on dinfo, "stack smashing detected"
Project: GNU Screen
Submitted by: jxyzn
Submitted on: Tue 11 Sep 2018 01:59:26 AM UTC
Category: Program Logic
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Release: 4.99.0
Fixed Release: None
Planned Release: None
Work Required: None
_______________________________________________________
Details:
screen 4.99.0 (built from source pulled today) will crash when running
'dinfo'.
strace shows:
ioctl(3, TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_START or TCSETS, {B38400 opost -isig -icanon -echo ...}) =
0
ioctl(3, TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
open("/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = -1 ENXIO (No such device or
address)
writev(2, [{"*** ", 4}, {"stack smashing detected", 23}, {" ***: ", 6},
{"SCREEN", 6}, {" terminated\n", 12}], 5) = 51
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7fa3aa8bf000
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
tgkill(1149, 1149, SIGABRT) = 0
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=1149, si_uid=1000}
---
+++ killed by SIGABRT +++
This seems to be caused by faulty pointer/buffer-length tracking in
process.c:ShowDInfo(). Pointer position 'p', meant to be incremented by the
length of the string written to the buffer, is instead incremented by (length
of the buffer - length of the string written to the buffer), quickly shooting
past the end of the allocated buffer space.
Here's a git diff with a fix:
diff --git a/src/process.c b/src/process.c
index 29ed1ea..8aab912 100644
--- a/src/process.c
+++ b/src/process.c
@@ -6229,28 +6229,33 @@ static void ShowInfo(void)
static void ShowDInfo(void)
{
char buf[512], *p;
- int l;
+ int l, w;
if (display == NULL)
return;
p = buf;
l = 512;
- sprintf(p, "(%d,%d)", D_width, D_height), l -= strlen(p);
- p += l;
+ sprintf(p, "(%d,%d)", D_width, D_height);
+ w = strlen(p);
+ l -= w;
+ p += w;
if (D_encoding) {
*p++ = ' ';
strncpy(p, EncodingName(D_encoding), l);
- l -= strlen(p);
- p += l;
+ w = strlen(p);
+ l -= w;
+ p += w;
}
if (D_CXT) {
strncpy(p, " xterm", l);
- l -= strlen(p);
- p += l;
+ w = strlen(p);
+ l -= w;
+ p += w;
}
if (D_hascolor) {
strncpy(p, " color", l);
- l -= strlen(p);
- p += l;
+ w = strlen(p);
+ l -= w;
+ p += w;
}
if (D_CG0)
strncpy(p, " iso2022", l);
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?54644>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
