bin/92074: top(1) aborts in redzone
Jaakko Heinonen
jh at saunalahti.fi
Fri Feb 15 18:00:05 UTC 2008
The following reply was made to PR bin/92074; it has been noted by GNATS.
From: Jaakko Heinonen <jh at saunalahti.fi>
To: bug-followup at FreeBSD.org
Cc:
Subject: Re: bin/92074: top(1) aborts in redzone
Date: Fri, 15 Feb 2008 19:52:31 +0200
--n8g4imXOkfNTN/H1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
I can reproduce this bug. After a research I found three bugs from
top(1):
1) Off-by-one error mentioned earlier in this PR.
2) In u_process bufferline is not NULL-terminated. It's later passed to
strlen(3) in line_update().
3) line_update() references an invalid memory location when
display_width is 0 (terminal is one character wide).
The attached patch should fix these.
--
Jaakko
--n8g4imXOkfNTN/H1
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="top-resize-crash.diff"
Index: display.c
===================================================================
RCS file: /home/ncvs/src/contrib/top/display.c,v
retrieving revision 1.10
diff -u -r1.10 display.c
--- display.c 18 Jan 2008 01:43:13 -0000 1.10
+++ display.c 15 Feb 2008 12:36:03 -0000
@@ -139,7 +139,7 @@
}
/* now, allocate space for the screen buffer */
- screenbuf = (char *)malloc(lines * display_width);
+ screenbuf = (char *)malloc(lines * display_width + 1);
if (screenbuf == (char *)NULL)
{
/* oops! */
@@ -801,6 +801,7 @@
/* truncate the line to conform to our current screen width */
newline[display_width] = '\0';
+ bufferline[display_width] = '\0';
/* is line higher than we went on the last display? */
if (line >= last_hi)
@@ -1137,6 +1138,9 @@
fputs(new, debug);
fputs("\n-\n", debug);
#endif
+
+ if (display_width < 1)
+ return;
/* start things off on the right foot */
/* this is to make sure the invariants get set up right */
--n8g4imXOkfNTN/H1--
More information about the freebsd-bugs
mailing list