Hello, originally I encountered this bug in GDB with GEF plugin. The plugin tried to set a custom prompt. Additionally it changed some GDB settings, which translates to the following readline call:
rl_set_screen_size(INT_MAX, INT_MAX); Setting _rl_screenwidth to INT_MAX causes signed integer overflow in display.c:1306. 1306 t = lmargin + M_OFFSET (lmargin, wrap_offset) +_rl_screenwidth; 1307 if (t < out) 1308 line[t - 1] = '>'; This makes the test always pass and a byte gets written to an invalid address. Turning horizontal-scroll-mode off works around this problem (the code in question is never executed). Steps to reproduce: 1. echo "set horizontal-scroll-mode on" >> ~/.inputrc 2. gcc rltest.c -o rltest -l readline 3. ./rltest You can find rltest.c attached to this message. -- mlen
#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <readline/readline.h>
int main() {
char *line;
// simulate GDB "set height 0" and "set width 0" commands
rl_set_screen_size(INT_MAX, INT_MAX);
while (1) {
line = readline("\001\033[1;32m\002>\001\033[0m\002");
if (!line) break;
puts(line);
}
return 0;
}
pgpOptFz5OvKE.pgp
Description: OpenPGP digital signature
_______________________________________________ Bug-readline mailing list [email protected] https://lists.gnu.org/mailman/listinfo/bug-readline
