URL: <http://savannah.gnu.org/bugs/?50197>
Summary: out of bounds write when dimensions are still 0, 0 Project: GNU Screen Submitted by: None Submitted on: Tue 31 Jan 2017 01:59:11 PM UTC Category: Crash/Freeze/Infloop Severity: 3 - Normal Priority: 5 - Normal Status: None Privacy: Public Assigned to: None Open/Closed: Open Discussion Lock: Any Release: 4.4.0 Fixed Release: None Planned Release: None Work Required: None _______________________________________________________ Details: Program received signal SIGSEGV, Segmentation fault. 0x080510da in MFixLine (p=p@entry=0x80cb2d8, y=y@entry=-1, mc=mc@entry=0x80cd830) at ansi.c:2371 2371 ansi.c: No such file or directory. (gdb) bt #0 0x080510da in MFixLine (p=p@entry=0x80cb2d8, y=y@entry=-1, mc=mc@entry=0x80cd830) at ansi.c:2371 #1 0x08051a7a in MPutChar (p=0x80cb2d8, c=0x80cd830, x=-1, y=-1) at ansi.c:2723 #2 0x08057e61 in WriteString (wp=0x0, buf=0xffb8c453 "\033[1;27H\r\n", len=175) at ansi.c:869 #3 0x08067868 in win_readev_fn (ev=0x80cb2e4, data=0x80cb2d8 "") at window.c:1942 #4 0x08090630 in sched () at sched.c:237 #5 0x0804c463 in main (ac=<optimized out>, av=<optimized out>) at screen.c:1487 (gdb) frame 0 #0 0x080510da in MFixLine (p=p@entry=0x80cb2d8, y=y@entry=-1, mc=mc@entry=0x80cd830) at ansi.c:2371 2371 if (mc->attr && ml->attr == null) (gdb) up #1 0x08051a7a in MPutChar (p=0x80cb2d8, c=0x80cd830, x=-1, y=-1) at ansi.c:2723 2723 MFixLine(p, y, c); (gdb) up #2 0x08057e61 in WriteString (wp=0x0, buf=0xffb8c453 "\033[1;27H\r\n", len=175) at ansi.c:869 869 MPutChar(curr, &curr->w_rend, curr->w_x, curr->w_y); (gdb) l 864 curr->w_x++; 865 } 866 } 867 else if (curr->w_x == cols - 1) 868 { 869 MPutChar(curr, &curr->w_rend, curr->w_x, curr->w_y); 870 LPutChar(&curr->w_layer, &curr->w_rend, curr->w_x, curr->w_y); 871 if (curr->w_wrap) 872 curr->w_x++; 873 } (gdb) p cols $3 = 0 (gdb) p rows $4 = 0 As one can see rows/cols are both 0 valued but are used for range index computations. It seems when a screen is started in detached mode those variables are never set to reasonable values (like 25, 80). Above source code is actually from 4.2.1 as it was easier in Debian to retrieve the source from that version, yet the error also occurs in 4.4.0. Reproduce: Terminal 1: $ xxd bad_sequence 00000000: 1b5b 721b 5b6d 1b5b 324a 1b5b 481b 5b3f .[r.[m.[2J.[H.[? 00000010: 3768 1b5b 3f31 3b33 3b34 3b36 6c1b 5b3b 7h.[?1;3;4;6l.[; 00000020: 481b 5b32 4a00 0000 0000 0000 0000 0000 H.[2J........... 00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000050: 0000 0000 0000 001b 5b3b 481b 5b32 4a00 ........[;H.[2J. 00000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000090: 001b 5b3b 376d 1b28 301b 5b31 3b31 3048 ..[;7m.(0.[1;10H 000000a0: 0000 0000 0078 1b5b 313b 3237 480a .....x.[1;27H. $ screen -d -m bash -c 'sleep 10; cat bad_sequence; sleep 999' Terminal 2 ("continue" in gdb and wait for the crash in less than 10 seconds) $ gdb -p $(pgrep screen) _______________________________________________________ File Attachments: ------------------------------------------------------- Date: Tue 31 Jan 2017 01:59:11 PM UTC Name: bad_sequence Size: 174B By: None <http://savannah.gnu.org/bugs/download.php?file_id=39625> _______________________________________________________ Reply to this item at: <http://savannah.gnu.org/bugs/?50197> _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/