Created attachment 1291506 [details]
Triggered by "captoinfo POC3"
Description of problem:
In append_acs function(parse_entry.c:57), the value of tp->Strings was written as 0xffffffffff in the preceding function that led to illegal address access crash.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
The debug information is as follows:
(gdb) set args $POC
#0 strlen () at ../sysdeps/x86_64/strlen.S:137
#1 0x000000000043a99a in append_acs (code=120, src=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, dst=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:574
#2 postprocess_termcap (tp=<optimized out>, has_base=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:916
#3 _nc_parse_entry (entryp=0x7fffffffaf88, literal=<optimized out>, silent=<optimized out>) at ../ncurses/./tinfo/parse_entry.c:507
#4 0x00000000004317d3 in _nc_read_entry_source (fp=<optimized out>, buf=<optimized out>, literal=0, silent=<optimized out>, hook=<optimized out>) at ../ncurses/./tinfo/comp_parse.c:227
#5 0x0000000000402c57 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:929
This vulnerability is detected by team OWL337, with our custom fuzzer coll AFL. Please contact email@example.com and firstname.lastname@example.org if you need more info about the team, the tool or the vulnerability.
Severity medium (fix will appear in the weekly updates).
*** Bug 1473306 has been marked as a duplicate of this bug. ***
*** This bug has been marked as a duplicate of bug 1473306 ***