Bug 1566575 - There is a Segmentation fault in the software in _nc_parse_entry function of ncurses tool with latest version
Summary: There is a Segmentation fault in the software in _nc_parse_entry function of ...
Keywords:
Status: CLOSED DUPLICATE of bug 1576119
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ncurses
Version: 7.5-Alt
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Lichvar
QA Contact: BaseOS QE - Apps
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-12 14:39 UTC by c1208828
Modified: 2018-05-09 12:55 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-09 12:55:33 UTC
Target Upstream Version:


Attachments (Terms of Use)
Triggered by ./tic POC (4.54 KB, application/octet-stream)
2018-04-12 14:39 UTC, c1208828
no flags Details

Description c1208828 2018-04-12 14:39:00 UTC
Created attachment 1420874 [details]
Triggered by ./tic POC

Description of problem:


Version-Release number of selected component (if applicable):

ncurses 6.1.20180407

How reproducible:

./tic POC

Steps to Reproduce:

The output information is as follows:
./tic POC
"POC", line 1, col 4095: dubious character `[' in name or alias field
"POC", line 1, col 4095: invalid entry name "t:@txXt:t[tc=�:tc=t���������������������������͸������ո
.
.
.
"POC", line 1, col 4096, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-z'
"POC", line 2, col 19, terminal 'invalid': Too much data, some is lost: t#
"POC", line 2, col 21, terminal 'invalid': Illegal character - '^H'
"POC", line 2, col 21, terminal 'invalid': unknown capability 't'
"POC", line 2, col 22, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '^H'
"POC", line 3, col 9, terminal 'invalid': Too much data, some is lost: t
Segmentation fault (core dumped)

GDB debugging information is as follows:
(gdb) set args POC
(gdb) r
Starting program: /home/afl/software/fuzzing-benchmarks/ncurses/progs/tic POC
"POC", line 1, col 4095: dubious character `[' in name or alias field
"POC", line 1, col 4095: invalid entry name "t:@txXt:t[tc=�:tc=t���������������������������͸������ո
.
.
.
"POC", line 1, col 4096, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-z'
"POC", line 2, col 19, terminal 'invalid': Too much data, some is lost: t#
"POC", line 2, col 21, terminal 'invalid': Illegal character - '^H'
"POC", line 2, col 21, terminal 'invalid': unknown capability 't'
"POC", line 2, col 22, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '^H'
"POC", line 3, col 9, terminal 'invalid': Too much data, some is lost: t

Program received signal SIGSEGV, Segmentation fault.
__strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:32
32	../sysdeps/x86_64/multiarch/../strchr.S: No such file or directory.

(gdb) bt
#0  __strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:32
#1  0x00000000004babde in _nc_parse_entry (entryp=entryp@entry=0x7fffffffaed0, literal=literal@entry=0, 
    silent=silent@entry=false) at ../ncurses/./tinfo/parse_entry.c:547
#2  0x00000000004a421c in _nc_read_entry_source (fp=<optimized out>, buf=buf@entry=0x0, 
    literal=literal@entry=0, silent=silent@entry=false, hook=hook@entry=0x406520 <immedhook>)
    at ../ncurses/./tinfo/comp_parse.c:225
#3  0x00000000004040b0 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:961

(gdb) list ../ncurses/./tinfo/parse_entry.c:547
542			/*
543			 * Otherwise, look for a base entry that will already
544			 * have picked up defaults via translation.
545			 */
546			for (i = 0; i < entryp->nuses; i++)
547			    if (!strchr((char *) entryp->uses[i].name, '+'))
548				has_base_entry = TRUE;
549		    }
550	
551		    postprocess_termcap(&entryp->tterm, has_base_entry);

(gdb) info all-registers 
rax            0x0	0
rbx            0x0	0
rcx            0x0	0
rdx            0x0	0
rsi            0x2b	43
rdi            0x0	0
rbp            0x7fffffffaf38	0x7fffffffaf38
rsp            0x7fffffffae48	0x7fffffffae48
r8             0xfcff00000000	278172146860032
r9             0x0	0
r10            0x7fffffffaf20	140737488334624
r11            0x714300	7422720
r12            0x1	1
r13            0x7fffffffaf38	140737488334648
r14            0x0	0
r15            0x7fffffffaed0	140737488334544
rip            0x7ffff7a96ad3	0x7ffff7a96ad3 <__strchr_sse2+35>
eflags         0x10283	[ CF SF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
st0            0	(raw 0x00000000000000000000)
st1            0	(raw 0x00000000000000000000)
st2            0	(raw 0x00000000000000000000)
st3            0	(raw 0x00000000000000000000)
st4            0	(raw 0x00000000000000000000)
st5            0	(raw 0x00000000000000000000)
---Type <return> to continue, or q <return> to quit---
st6            0	(raw 0x00000000000000000000)
st7            0	(raw 0x00000000000000000000)
fctrl          0x37f	895
fstat          0x0	0
ftag           0xffff	65535
fiseg          0x0	0
fioff          0x0	0
foseg          0x0	0
fooff          0x0	0
fop            0x0	0


Actual results:

crash

Expected results:

crash

Additional info:

The crash can be reproduced by the attached file.

Comment 2 Miroslav Lichvar 2018-04-12 14:46:04 UTC
(In reply to c1208828 from comment #0)
> Version-Release number of selected component (if applicable):
> 
> ncurses 6.1.20180407

That's not a version of ncurses we have in RHEL7.5.

Can you please report these bugs directly to the upstream maintainer using the bug-ncurses@gnu.org mailing list?

Depending on the severity of the bug, we may consider backporting the fix to the RHEL ncurses package.

Comment 3 c1208828 2018-04-12 16:12:47 UTC
(In reply to Miroslav Lichvar from comment #2)
> (In reply to c1208828 from comment #0)
> > Version-Release number of selected component (if applicable):
> > 
> > ncurses 6.1.20180407
> 
> That's not a version of ncurses we have in RHEL7.5.
> 
> Can you please report these bugs directly to the upstream maintainer using
> the bug-ncurses@gnu.org mailing list?
> 
> Depending on the severity of the bug, we may consider backporting the fix to
> the RHEL ncurses package.

Sorry for the mistake, we will report this bug directly to the maintainer.

Comment 4 Miroslav Lichvar 2018-05-09 12:55:33 UTC

*** This bug has been marked as a duplicate of bug 1576119 ***


Note You need to log in before you can comment on or make changes to this bug.