Follow-up Comment #2, bug #58259 (project screen):
Finally had a chance to take a look at this one... found the source of the
problem:
termcap.c:156
case T_STR:
D_tcs[i].str = e_tgetstr(term[i].tcname, &tp);
tgetstr(), the tp buffer is expected to have 1024, but tp is advanced on
return... and there's no check on overflow when called repeatedly. If the
source is termcap, a 1024 buffer is fine as that's the standard termcap size
limit anyway... with a terminfo source, the limit is really T_STR(1024) * T_N
entries... unlikely, but quite legal.
There's a function called t_agetstr which handles (re)allocation of the
buffer, but may not be available on all platforms.
A portable solution would be to pass NULL as tp and then copy the return value
to a realloc'd buffer locally sized to handle the value.
Using TERMCAP_BUFSIZE for tp is really not correct here (regardless of value).
I could supply a patch to handle a realloc buffer solution, unless someone
has a better solution?
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?58259>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
