Re: segfault by emacs -nw

[Kenichi Handa <handa@m17n.org>]

Terje Rosten <terjeros@phys.ntnu.no> writes:
> | With today's CVS HEAD, emacs -nw always crashes as below:

> Reverting this patch seems to fix it here:

> <URL: http://savannah.gnu.org/cgi-bin/viewcvs/emacs/emacs/src/term.c.diff?r1=1.146&r2=1.147&sortby=date>

> The change is from:

> 2003-08-19  Gerd Moellmann  <gerd@gnu.org>

>         * s/freebsd.h [__FreeBSD_version >= 400000]: Define TERMINFO,
>         use -lncurses.

>         * term.c (term_init): Use a buffer of size 4096 for tgetent since
>         FreeBSD returns something longer than 2044.  Abort if the end of
>         the buffer is overwritten.

Thank you for the info.   I think I found what is wrong with
the above patch.

The current code is like this:
----------------------------------------------------------------------
  buffer = (char *) xmalloc (buffer_size);
  status = tgetent (buffer, terminal_type);
[...]
  if (strlen (buffer) >= buffer_size)
    abort ();
  
  area = (char *) xmalloc (strlen (buffer));
----------------------------------------------------------------------

But, on GNU/Linux, the argument `buffer' of tgetent is
ignored.  This is the man page for tgetent.

SYNOPSIS
[...]
       int tgetent(char *bp, const char *name);
[...]
       These routines are included as a conversion aid  for  pro-
       grams  that use the termcap library.  Their parameters are
       the same and the routines are emulated using the  terminfo
       database.   Thus, they can only be used to query the capa-
       bilities of entries for which a terminfo  entry  has  been
       compiled.

       The  tgetent routine loads the entry for name.  It returns
       1 on success, 0 if there is no such entry, and -1  if  the
       terminfo  database  could  not  be  found.   The emulation
       ignores the buffer pointer bp.
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

So, in my environment, the memory allocated for `area' is
too small which leads to buffer overrun.  I've just
installed the attached change.

---
Ken'ichi HANDA
handa@m17n.org


2003-08-21  Kenichi Handa  <handa@m17n.org>

	* term.c (term_init): Fix previous change; don't rely on the
	length of `buffer' if TERMINFO is defined.

Index: term.c
===================================================================
RCS file: /cvsroot/emacs/emacs/src/term.c,v
retrieving revision 1.147
diff -u -c -r1.147 term.c
cvs server: conflicting specifications of output style
*** term.c	19 Aug 2003 23:47:22 -0000	1.147
--- term.c	21 Aug 2003 11:34:21 -0000
***************
*** 2229,2238 ****
  #endif
      }
  
    if (strlen (buffer) >= buffer_size)
      abort ();
!   
!   area = (char *) xmalloc (strlen (buffer));
  
    TS_ins_line = tgetstr ("al", address);
    TS_ins_multi_lines = tgetstr ("AL", address);
--- 2229,2240 ----
  #endif
      }
  
+ #ifndef TERMINFO
    if (strlen (buffer) >= buffer_size)
      abort ();
!   buffer_size = strlen (buffer);
! #endif
!   area = (char *) xmalloc (buffer_size);
  
    TS_ins_line = tgetstr ("al", address);
    TS_ins_multi_lines = tgetstr ("AL", address);