RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1566575 - There is a Segmentation fault in the software in _nc_parse_entry function of ncurses tool with latest version
Summary: There is a Segmentation fault in the software in _nc_parse_entry function of ...
Keywords:
Status: CLOSED DUPLICATE of bug 1576119
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ncurses
Version: 7.5-Alt
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Lichvar
QA Contact: BaseOS QE - Apps
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-12 14:39 UTC by c1208828
Modified: 2018-05-09 12:55 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-09 12:55:33 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Triggered by ./tic POC (4.54 KB, application/octet-stream)
2018-04-12 14:39 UTC, c1208828
no flags Details

Description c1208828 2018-04-12 14:39:00 UTC
Created attachment 1420874 [details]
Triggered by ./tic POC

Description of problem:


Version-Release number of selected component (if applicable):

ncurses 6.1.20180407

How reproducible:

./tic POC

Steps to Reproduce:

The output information is as follows:
./tic POC
"POC", line 1, col 4095: dubious character `[' in name or alias field
"POC", line 1, col 4095: invalid entry name "t:@txXt:t[tc=�:tc=t���������������������������͸������ո
.
.
.
"POC", line 1, col 4096, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-z'
"POC", line 2, col 19, terminal 'invalid': Too much data, some is lost: t#
"POC", line 2, col 21, terminal 'invalid': Illegal character - '^H'
"POC", line 2, col 21, terminal 'invalid': unknown capability 't'
"POC", line 2, col 22, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '^H'
"POC", line 3, col 9, terminal 'invalid': Too much data, some is lost: t
Segmentation fault (core dumped)

GDB debugging information is as follows:
(gdb) set args POC
(gdb) r
Starting program: /home/afl/software/fuzzing-benchmarks/ncurses/progs/tic POC
"POC", line 1, col 4095: dubious character `[' in name or alias field
"POC", line 1, col 4095: invalid entry name "t:@txXt:t[tc=�:tc=t���������������������������͸������ո
.
.
.
"POC", line 1, col 4096, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-z'
"POC", line 2, col 19, terminal 'invalid': Too much data, some is lost: t#
"POC", line 2, col 21, terminal 'invalid': Illegal character - '^H'
"POC", line 2, col 21, terminal 'invalid': unknown capability 't'
"POC", line 2, col 22, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '^H'
"POC", line 3, col 9, terminal 'invalid': Too much data, some is lost: t

Program received signal SIGSEGV, Segmentation fault.
__strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:32
32	../sysdeps/x86_64/multiarch/../strchr.S: No such file or directory.

(gdb) bt
#0  __strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:32
#1  0x00000000004babde in _nc_parse_entry (entryp=entryp@entry=0x7fffffffaed0, literal=literal@entry=0, 
    silent=silent@entry=false) at ../ncurses/./tinfo/parse_entry.c:547
#2  0x00000000004a421c in _nc_read_entry_source (fp=<optimized out>, buf=buf@entry=0x0, 
    literal=literal@entry=0, silent=silent@entry=false, hook=hook@entry=0x406520 <immedhook>)
    at ../ncurses/./tinfo/comp_parse.c:225
#3  0x00000000004040b0 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:961

(gdb) list ../ncurses/./tinfo/parse_entry.c:547
542			/*
543			 * Otherwise, look for a base entry that will already
544			 * have picked up defaults via translation.
545			 */
546			for (i = 0; i < entryp->nuses; i++)
547			    if (!strchr((char *) entryp->uses[i].name, '+'))
548				has_base_entry = TRUE;
549		    }
550	
551		    postprocess_termcap(&entryp->tterm, has_base_entry);

(gdb) info all-registers 
rax            0x0	0
rbx            0x0	0
rcx            0x0	0
rdx            0x0	0
rsi            0x2b	43
rdi            0x0	0
rbp            0x7fffffffaf38	0x7fffffffaf38
rsp            0x7fffffffae48	0x7fffffffae48
r8             0xfcff00000000	278172146860032
r9             0x0	0
r10            0x7fffffffaf20	140737488334624
r11            0x714300	7422720
r12            0x1	1
r13            0x7fffffffaf38	140737488334648
r14            0x0	0
r15            0x7fffffffaed0	140737488334544
rip            0x7ffff7a96ad3	0x7ffff7a96ad3 <__strchr_sse2+35>
eflags         0x10283	[ CF SF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
st0            0	(raw 0x00000000000000000000)
st1            0	(raw 0x00000000000000000000)
st2            0	(raw 0x00000000000000000000)
st3            0	(raw 0x00000000000000000000)
st4            0	(raw 0x00000000000000000000)
st5            0	(raw 0x00000000000000000000)
---Type <return> to continue, or q <return> to quit---
st6            0	(raw 0x00000000000000000000)
st7            0	(raw 0x00000000000000000000)
fctrl          0x37f	895
fstat          0x0	0
ftag           0xffff	65535
fiseg          0x0	0
fioff          0x0	0
foseg          0x0	0
fooff          0x0	0
fop            0x0	0


Actual results:

crash

Expected results:

crash

Additional info:

The crash can be reproduced by the attached file.

Comment 2 Miroslav Lichvar 2018-04-12 14:46:04 UTC
(In reply to c1208828 from comment #0)
> Version-Release number of selected component (if applicable):
> 
> ncurses 6.1.20180407

That's not a version of ncurses we have in RHEL7.5.

Can you please report these bugs directly to the upstream maintainer using the bug-ncurses mailing list?

Depending on the severity of the bug, we may consider backporting the fix to the RHEL ncurses package.

Comment 3 c1208828 2018-04-12 16:12:47 UTC
(In reply to Miroslav Lichvar from comment #2)
> (In reply to c1208828 from comment #0)
> > Version-Release number of selected component (if applicable):
> > 
> > ncurses 6.1.20180407
> 
> That's not a version of ncurses we have in RHEL7.5.
> 
> Can you please report these bugs directly to the upstream maintainer using
> the bug-ncurses mailing list?
> 
> Depending on the severity of the bug, we may consider backporting the fix to
> the RHEL ncurses package.

Sorry for the mistake, we will report this bug directly to the maintainer.

Comment 4 Miroslav Lichvar 2018-05-09 12:55:33 UTC

*** This bug has been marked as a duplicate of bug 1576119 ***


Note You need to log in before you can comment on or make changes to this bug.