ncurses (v.5.1 of 20001009) in FreeBSD-current (version is specified above) have ugly tgoto_internal() function (file src/contrib/ncurses/ncurses/tinfo/lib_tgoto.c) which cannot deal properly with string with length 0. screen (3.9.8 from ports r3 hours ago) calls tgoto() with such empty string in CPutStr(). Repeated situation is running mutt (the popular text mode mail user agent) with threaded grouping of letters in mailbox in screen's virtual terminal. Following is diagnostics log. Core file (to generate, set kern.sugid_coredump to 1): -rw------- 1 netch wheel 479232 Nov 24 00:59 screen.dbg.2704.core (gdb) bt #0 0x281521fc in kill () from /usr/lib/libc.so.4 #1 0x28190f26 in abort () from /usr/lib/libc.so.4 #2 0x804cced in CoreDump (sigsig=11) at screen.c:1413 #3 0xbfbfffac in ?? () #4 0x280c658d in tgoto () from /usr/lib/libncurses.so.5 #5 0x80809e8 in CPutStr (s=0x8094f4e "", c=48) at display.c:902 #6 0x80831cc in SetFont (new=48) at display.c:1789 #7 0x8083582 in SetRendition (mc=0x80ba324) at display.c:1855 #8 0x808c374 in LSetRendition (l=0x80b800c, r=0x80ba324) at layer.c:507 #9 0x8052f06 in DesignateCharset (c=48, n=0) at ansi.c:1517 #10 0x8051966 in DoESC (c=48, intermediate=40) at ansi.c:943 #11 0x8050788 in WriteString (wp=0x80b8000, buf=0xbfbfe295 "\e[?25l\e[1;1H\e[7m\e[37m\e[40m---Mutt: /var/mail/netch 599 K [Msgs:56 New:24 Post:5]", '-' <repeats 18 times>, "(39%)---\e[2;1H\e[m\e[37m\e [40m1 |\e[5C| Pavel Gulchouck\e[6C| Re: sendmail.cf.pl?\r\n2 |\e[5C| Valenti n Ne"..., len=1589) at ansi.c:546 #12 0x80689d5 in win_readev_fn (ev=0x80b8048, data=0x80b8000 "") at window.c:1768 #13 0x808e33e in sched () at sched.c:237 #14 0x804c78e in main (ac=0, av=0xbfbffb94) at screen.c:1255 #15 0x8049fb5 in _start () (gdb) f 5 #5 0x80809e8 in CPutStr (s=0x8094f4e "", c=48) at display.c:902 902 tputs(tgoto(s, 0, c), 1, DoAddChar); (gdb) p s $1 = 0x8094f4e "" (gdb) p c $2 = 48 (gdb) p DoAddChar $3 = {int (int)} 0x8080918 <DoAddChar> (gdb) f 4 #4 0x280c658d in tgoto () from /usr/lib/libncurses.so.5 (gdb) info f 4 Stack frame at 0xbfbfe0ec: eip = 0x280c658d in tgoto; saved eip 0x80809e8 called by frame at 0xbfbfe118, caller of frame at 0xbfbfe0bc Arglist at 0xbfbfe0ec, args: Locals at 0xbfbfe0ec, Previous frame's sp is 0x0 Saved registers: ebx at 0xbfbfe0d4, ebp at 0xbfbfe0ec, esi at 0xbfbfe0d8, edi at 0xbfbfe0dc, eip at 0xbfbfe0f0 (gdb) x/w 0xbfbfe0f4 0xbfbfe0f4: 0x08094f4e (gdb) x/c 0x08094f4e 0x8094f4e <TermcapConst+1006>: 0 '\000' (gdb) x/w 0xbfbfe0f8 0xbfbfe0f8: 0 '\000' (gdb) x/w 0xbfbfe0fc 0xbfbfe0fc: 48 '0' e.g., string=="", x==0, y==48 (gdb) disas 0x280c658d Dump of assembler code for function tgoto: 0x280c6554 <tgoto>: push %ebp 0x280c6555 <tgoto+1>: mov %esp,%ebp 0x280c6557 <tgoto+3>: sub $0xc,%esp 0x280c655a <tgoto+6>: push %edi 0x280c655b <tgoto+7>: push %esi 0x280c655c <tgoto+8>: push %ebx 0x280c655d <tgoto+9>: call 0x280c6562 <tgoto+14> 0x280c6562 <tgoto+14>: pop %ebx 0x280c6563 <tgoto+15>: add $0x2e112,%ebx 0x280c6569 <tgoto+21>: mov 0x8(%ebp),%esi (%esi <- string) 0x280c656c <tgoto+24>: mov 0x10(%ebp),%edi (%edi <- y) 0x280c656f <tgoto+27>: add $0xfffffff4,%esp 0x280c6572 <tgoto+30>: push %esi (string) 0x280c6573 <tgoto+31>: call 0x280c6044 <_nc_lib_traceatr+8> (is_termcap(string).) 0x280c6578 <tgoto+36>: add $0x10,%esp 0x280c657b <tgoto+39>: test %al,%al 0x280c657d <tgoto+41>: je 0x280c6590 <tgoto+60> 0x280c657f <tgoto+43>: add $0xfffffffc,%esp 0x280c6582 <tgoto+46>: push %edi (y) 0x280c6583 <tgoto+47>: mov 0xc(%ebp),%eax 0x280c6586 <tgoto+50>: push %eax (x) 0x280c6587 <tgoto+51>: push %esi (string) 0x280c6588 <tgoto+52>: call 0x280c6088 <_nc_lib_traceatr+76> (tgoto_internal(string,x,y)) ---Type <return> to continue, or q <return> to quit--- 0x280c658d <tgoto+57>: jmp 0x280c659e <tgoto+74> The bad function is tgoto_internal(). In case when string is empty, local variables "result" and "length" keep garbage; code as "strcpy(result + used, BC);" and "result[used] = '\0';" breaks program consistence. Fix: tgoto_internal() should check situation when after string parsing cycle, result is NULL yet. I propose but I don't sure of my deep understanding of curses work.--dEQPuVpEmtAWDaXb4rwrnxEjcQMEqYpR2TgEisvPYS2AkPiH Content-Type: text/plain; name="file.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="file.diff" --- lib_tgoto.c.orig Wed Oct 11 10:30:24 2000 +++ lib_tgoto.c Fri Nov 24 02:47:45 2000 @@ -168,6 +168,8 @@ } string++; } + if (!result) + return NULL; if (need_BC) { strcpy(result + used, BC); used += strlen(BC); How-To-Repeat: See Description
State Changed From-To: open->feedback Is this bug still present?
Sun, Aug 11, 2002 at 14:51:37, iedowse wrote about "Re: gnu/23058: ncurses: tgoto_internal() ugliness": > Synopsis: ncurses: tgoto_internal() ugliness > > State-Changed-From-To: open->feedback > State-Changed-By: iedowse > State-Changed-When: Sun Aug 11 14:51:15 PDT 2002 > State-Changed-Why: > > Is this bug still present? Yes, the code wasn't changed since bug detection and in case of empty string allocation isn't called. But now I don't know how it can be trigged (screen is now fixed in this place due to parallel PR and following upgrades and I didn't see another reports). /netch
Responsible Changed From-To: freebsd-bugs->cy I think I have tracked this down. Cy has parts of my email exchanges with the submitter in his Inbox now. It's definitely a screen buglet...
State Changed From-To: feedback->closed Applied patch keramida to screen. Fixed.