Hide Forgot
Created attachment 1420874 [details] Triggered by ./tic POC Description of problem: Version-Release number of selected component (if applicable): ncurses 6.1.20180407 How reproducible: ./tic POC Steps to Reproduce: The output information is as follows: ./tic POC "POC", line 1, col 4095: dubious character `[' in name or alias field "POC", line 1, col 4095: invalid entry name "t:@txXt:t[tc=�:tc=t���������������������������������ո . . . "POC", line 1, col 4096, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-z' "POC", line 2, col 19, terminal 'invalid': Too much data, some is lost: t# "POC", line 2, col 21, terminal 'invalid': Illegal character - '^H' "POC", line 2, col 21, terminal 'invalid': unknown capability 't' "POC", line 2, col 22, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '^H' "POC", line 3, col 9, terminal 'invalid': Too much data, some is lost: t Segmentation fault (core dumped) GDB debugging information is as follows: (gdb) set args POC (gdb) r Starting program: /home/afl/software/fuzzing-benchmarks/ncurses/progs/tic POC "POC", line 1, col 4095: dubious character `[' in name or alias field "POC", line 1, col 4095: invalid entry name "t:@txXt:t[tc=�:tc=t���������������������������������ո . . . "POC", line 1, col 4096, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-z' "POC", line 2, col 19, terminal 'invalid': Too much data, some is lost: t# "POC", line 2, col 21, terminal 'invalid': Illegal character - '^H' "POC", line 2, col 21, terminal 'invalid': unknown capability 't' "POC", line 2, col 22, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '^H' "POC", line 3, col 9, terminal 'invalid': Too much data, some is lost: t Program received signal SIGSEGV, Segmentation fault. __strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:32 32 ../sysdeps/x86_64/multiarch/../strchr.S: No such file or directory. (gdb) bt #0 __strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:32 #1 0x00000000004babde in _nc_parse_entry (entryp=entryp@entry=0x7fffffffaed0, literal=literal@entry=0, silent=silent@entry=false) at ../ncurses/./tinfo/parse_entry.c:547 #2 0x00000000004a421c in _nc_read_entry_source (fp=<optimized out>, buf=buf@entry=0x0, literal=literal@entry=0, silent=silent@entry=false, hook=hook@entry=0x406520 <immedhook>) at ../ncurses/./tinfo/comp_parse.c:225 #3 0x00000000004040b0 in main (argc=<optimized out>, argv=<optimized out>) at ../progs/tic.c:961 (gdb) list ../ncurses/./tinfo/parse_entry.c:547 542 /* 543 * Otherwise, look for a base entry that will already 544 * have picked up defaults via translation. 545 */ 546 for (i = 0; i < entryp->nuses; i++) 547 if (!strchr((char *) entryp->uses[i].name, '+')) 548 has_base_entry = TRUE; 549 } 550 551 postprocess_termcap(&entryp->tterm, has_base_entry); (gdb) info all-registers rax 0x0 0 rbx 0x0 0 rcx 0x0 0 rdx 0x0 0 rsi 0x2b 43 rdi 0x0 0 rbp 0x7fffffffaf38 0x7fffffffaf38 rsp 0x7fffffffae48 0x7fffffffae48 r8 0xfcff00000000 278172146860032 r9 0x0 0 r10 0x7fffffffaf20 140737488334624 r11 0x714300 7422720 r12 0x1 1 r13 0x7fffffffaf38 140737488334648 r14 0x0 0 r15 0x7fffffffaed0 140737488334544 rip 0x7ffff7a96ad3 0x7ffff7a96ad3 <__strchr_sse2+35> eflags 0x10283 [ CF SF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 st0 0 (raw 0x00000000000000000000) st1 0 (raw 0x00000000000000000000) st2 0 (raw 0x00000000000000000000) st3 0 (raw 0x00000000000000000000) st4 0 (raw 0x00000000000000000000) st5 0 (raw 0x00000000000000000000) ---Type <return> to continue, or q <return> to quit--- st6 0 (raw 0x00000000000000000000) st7 0 (raw 0x00000000000000000000) fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 Actual results: crash Expected results: crash Additional info: The crash can be reproduced by the attached file.
(In reply to c1208828 from comment #0) > Version-Release number of selected component (if applicable): > > ncurses 6.1.20180407 That's not a version of ncurses we have in RHEL7.5. Can you please report these bugs directly to the upstream maintainer using the bug-ncurses@gnu.org mailing list? Depending on the severity of the bug, we may consider backporting the fix to the RHEL ncurses package.
(In reply to Miroslav Lichvar from comment #2) > (In reply to c1208828 from comment #0) > > Version-Release number of selected component (if applicable): > > > > ncurses 6.1.20180407 > > That's not a version of ncurses we have in RHEL7.5. > > Can you please report these bugs directly to the upstream maintainer using > the bug-ncurses@gnu.org mailing list? > > Depending on the severity of the bug, we may consider backporting the fix to > the RHEL ncurses package. Sorry for the mistake, we will report this bug directly to the maintainer.
*** This bug has been marked as a duplicate of bug 1576119 ***