SEGV was occurred in libedit

Tue, 09 Oct 2018 16:27:15 -0700 

Hi,

When I use /usr/bin/bc command with MALLOC_OPTIONS=UJ, SEGV was
occurred in libedit.

$ MALLOC_OPTIONS=UJ /usr/bin/bc
100000 + 200000 + 300000 + 400000 + 500000 + 600000 + 700000 + 800000 + 900000 
+ Segmentation fault (core dumped)

$ /usr/bin/gdb /usr/bin/bc bc.core
GNU gdb 6.3

... snip ...

(no debugging symbols found)

Core was generated by `bc'.
Program terminated with signal 11, Segmentation fault.
(no debugging symbols found)
Loaded symbols for /usr/bin/bc
Reading symbols from /usr/lib/libedit.so.5.2...done.
Loaded symbols for /usr/lib/libedit.so.5.2
Reading symbols from /usr/lib/libcurses.so.14.0...done.
Loaded symbols for /usr/lib/libcurses.so.14.0
Reading symbols from /usr/lib/libcrypto.so.43.1...done.
Loaded symbols for /usr/lib/libcrypto.so.43.1
Reading symbols from /usr/lib/libc.so.92.3...done.
Loaded symbols for /usr/lib/libc.so.92.3
Reading symbols from /usr/libexec/ld.so...done.
Loaded symbols for /usr/libexec/ld.so
#0  re_refresh (el=Variable "el" is not available.
) at /home/asou/work/current/src/lib/libedit/refresh.c:518
518             while (*o)
(gdb) bt
#0  re_refresh (el=Variable "el" is not available.
) at /home/asou/work/current/src/lib/libedit/refresh.c:518
#1  0x00000fb7c886a19e in el_wgets (el=0xfb82e53d800, nread=Variable
"nread" is not available.
)
    at /home/asou/work/current/src/lib/libedit/read.c:372
#2  0x00000fb7c886a533 in el_gets (el=0xfb82e53d800,
nread=0x7f7ffffc734c)
    at /home/asou/work/current/src/lib/libedit/eln.c:74
#3  0x00000fb5bf407aa1 in ?? () from /usr/bin/bc
#4  0x00000fb5bf40661a in ?? () from /usr/bin/bc
#5  0x00000fb5bf4013f4 in ?? () from /usr/bin/bc
#6  0x00000fb5bf4009d6 in ?? () from /usr/bin/bc
#7  0x0000000000000000 in ?? ()
Current language:  auto; currently minimal
(gdb) 

I enter 83 characters that extend beyond a single line as follows and
delete last '0' by DEL key, then SEGV was occurred.

100000 + 200000 + 300000 + 400000 + 500000 + 600000 + 700000 + 800000 + 900000 
+ 10

I made following patch and it works fine!

ok?

diff --git a/lib/libedit/refresh.c b/lib/libedit/refresh.c
index f2d001d67cb..5f2d607d356 100644
--- a/lib/libedit/refresh.c
+++ b/lib/libedit/refresh.c
@@ -1061,6 +1061,7 @@ re_fastputc(EditLine *el, wint_t c)

        terminal__putc(el, c);
        el->el_display[el->el_cursor.v][el->el_cursor.h++] = c;
+       el->el_display[el->el_cursor.v][el->el_cursor.h] = '\0';
        while (--w > 0)
                el->el_display[el->el_cursor.v][el->el_cursor.h++]
                        = MB_FILL_CHAR;
--
ASOU Masato

Reply via email to