bin/82381: small bug in libedit might cause abnormal program termination

Björn König bkoenig at cs.tu-berlin.de
Sat Jun 18 10:50:16 GMT 2005 

>Number:         82381
>Category:       bin
>Synopsis:       small bug in libedit might cause abnormal program termination
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 18 10:50:15 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Björn König
>Release:        
>Organization:
>Environment:
>Description:
	libedit covers several vi and emacs functions and stores
	descriptions about them in a structure called el_func_help
	which will be generated automatically. This structure is
	terminated by { NULL, 0, NULL } as customary to have an
   	exit condition for use with loops. The problem is that
	the map_init function in lib/libedit/map.c do not respect
	this null-termination. It allocates memory for only N
	functions, but N+1 is necessary to include the termination.
	You'll get a segmentation fault in certain cases.
	
>How-To-Repeat:
	Set a language explicitly if you don't have set any.

	   > setenv LANG en_US.ISO8859-1

	Run a shell with built-in emacs command line editor.

	   > sh -E

	List all editor commands.

	   $ bind -l 2>/dev/null
	   Segmentation fault (core dumped)

>Fix:

--- libedit::map.c.diff begins here ---
--- src/lib/libedit/map.c.orig	Sat Jun 18 11:42:22 2005
+++ src/lib/libedit/map.c	Sat Jun 18 12:00:08 2005
@@ -917,11 +917,11 @@
 	el->el_map.vic = el_map_vi_command;
 	el->el_map.vii = el_map_vi_insert;
 	el->el_map.help = (el_bindings_t *) el_malloc(sizeof(el_bindings_t) *
-	    EL_NUM_FCNS);
+	    (EL_NUM_FCNS + 1));
 	if (el->el_map.help == NULL)
 		return (-1);
 	(void) memcpy(el->el_map.help, help__get(),
-	    sizeof(el_bindings_t) * EL_NUM_FCNS);
+	    sizeof(el_bindings_t) * (EL_NUM_FCNS + 1));
 	el->el_map.func = (el_func_t *)el_malloc(sizeof(el_func_t) *
 	    EL_NUM_FCNS);
 	if (el->el_map.func == NULL)
--- libedit::map.c.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list