Bug 45168
| Summary: | Buffer overflow in /usr/bin/dialog | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | SaturNero <saturnero> | ||||
| Component: | gnu | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | CC: | dave | ||||
| Priority: | Normal | ||||||
| Version: | 4.7-STABLE | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
The result from a checklist is stored in the result variable, with a maximum length of MAX_LEN, which is defined in /usr/include/dialog.h or /usr/src/gnu/lib/libdialog/dialog.h as 2048. Your checklist's output is breaching this limit. Could the result variable perhaps be dynamically allocated to hold as much as argv does? I'm not too familiar with dialog, but does it ever output more than it receives as input? -- Dave libdialog appears to be brimming with bugs of this sort. Lots of uses of strcpy / strcat. It probably needs a complete audit. Ideally there should be no MAX_LEN and everything dynamically allocated. I hope to god it is never run by anything with elevated privileges. -- Nate Eldredge nge@cs.hmc.edu State Changed From-To: open->patched MAX_LEN bumped to 4096 State Changed From-To: patched->closed dialog has been updated |
/usr/bin/dialog exits with Segmentation fault (after the Ok) when handling long checklists with many "on" field. Bug found by dave@freesbie.org and saturnero@freesbie.org How-To-Repeat: The attached file packages.sh is a sample shell script that faults after the Ok