Pointer bounds violations in curses
Sam Kendall
kendall at talcott.UUCP
Thu May 2 10:54:24 AEST 1985
Index: usr.lib/libcurses 4.2BSD
Description:
In "refresh.c", pointers access storage beyond the bounds of
the array they are supposed to point into, leading to
unpredictable behavior. It is a coincidence that the original
code works on a VAX, and it might not work in all cases, or on
other machines. The bugs lead to some unnecessary looping even
on the VAX. In more detail: in most of the function
`makech', `wx <= lch' should always hold true; if it does not,
then `nsp' and `csp' point past the end of the arrays that they
are supposed to point into. This happens in the two places
that are corrected.
Repeat-By:
These problems were detected with lint and with the Bcc Compiler,
a C language checkout compiler. If you do not have the Bcc
Compiler, insert debugging statements in "refresh.c" to monitor the
values of `wx' and `lch' at the two points where corrections are
to be made, and note that `wx' gets much larger than `lch'.
Fix:
There are three changes. The first two changes prevent the
bounds violations; the third merely corrects a lint-reported
inconsistency.
*** /usr/src/usr.lib/libcurses/refresh.c Thu Jun 23 12:53:54 1983
--- libcurses/refresh.c Wed May 1 15:51:17 1985
***************
*** 143,149
# endif
ly = y;
lx = wx + win->_begx;
! while (*nsp != *csp && wx <= lch) {
if (ce != NULL && wx >= nlsp && *nsp == ' ') {
/*
* check for clear to end-of-line
--- 143,149 -----
# endif
ly = y;
lx = wx + win->_begx;
! while (wx <= lch && *nsp != *csp) {
if (ce != NULL && wx >= nlsp && *nsp == ' ') {
/*
* check for clear to end-of-line
***************
*** 224,230
lx = wx + win->_begx;
}
else if (wx < lch)
! while (*nsp == *csp) {
nsp++;
if (!curwin)
csp++;
--- 224,230 -----
lx = wx + win->_begx;
}
else if (wx < lch)
! while (wx <= lch && *nsp == *csp) {
nsp++;
if (!curwin)
csp++;
*** /usr/src/usr.lib/libcurses/addch.c Thu Jun 23 12:54:48 1983
--- libcurses/addch.c Tue Apr 9 11:22:32 1985
***************
*** 36,42
# endif
if (win->_flags & _STANDOUT)
c |= _STANDOUT;
! set_ch(win, y, x, c, NULL);
for (wp = win->_nextp; wp != win; wp = wp->_nextp)
set_ch(wp, y, x, c, win);
win->_y[y][x++] = c;
--- 36,42 -----
# endif
if (win->_flags & _STANDOUT)
c |= _STANDOUT;
! set_ch(win, y, x, c, (WINDOW *)NULL);
for (wp = win->_nextp; wp != win; wp = wp->_nextp)
set_ch(wp, y, x, c, win);
win->_y[y][x++] = c;
More information about the Comp.bugs.4bsd.ucb-fixes
mailing list