From eugen@D00015.dialonly.kemerovo.su  Sat Jun 16 22:51:58 2001
Return-Path: <eugen@D00015.dialonly.kemerovo.su>
Received: from D00015.dialonly.kemerovo.su (www2.svzserv.kemerovo.su [213.184.65.86])
	by hub.freebsd.org (Postfix) with ESMTP id 2F41437B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 16 Jun 2001 22:51:54 -0700 (PDT)
	(envelope-from eugen@D00015.dialonly.kemerovo.su)
Received: (from eugen@localhost)
	by D00015.dialonly.kemerovo.su (8.11.3/8.11.3) id f5H5oP807363;
	Sun, 17 Jun 2001 13:50:25 +0800 (KRAST)
	(envelope-from eugen)
Message-Id: <200106170550.f5H5oP807363@D00015.dialonly.kemerovo.su>
Date: Sun, 17 Jun 2001 13:50:25 +0800 (KRAST)
From: Eugene Grosbein <eugen@grosbein.pp.ru>
Reply-To: eugen@grosbein.pp.ru
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: dialog(1) segfaults (due to the bug in libdialog?)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         28221
>Category:       bin
>Synopsis:       dialog(1) segfaults (due to the bug in libdialog?)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    eric
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 16 23:00:01 PDT 2001
>Closed-Date:    Wed Feb 25 17:54:47 PST 2004
>Last-Modified:  Wed Feb 25 17:54:47 PST 2004
>Originator:     Eugene Grosbein
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
ISP Svyaz-Service
>Environment:
System: FreeBSD 4.3-STABLE #4: Wed Jun 6 21:57:52 KRAST 2001 

>Description:

dialog(1) segfaults with incorrect parameters
due to the lack of checks in it or /usr/src/gnu/lib/libdialog/menubox.c.
Precisely, there is a code about line 450 of menubox.c:

/*
 * Print menu item
 */
static void
print_item(WINDOW *win, unsigned char *tag, unsigned char *item, int choice, int selected, dialogMenuItem *me, int menu_width, int tag_x, int item_x)
{
    int i;
    
    /* Clear 'residue' of last item */
    wattrset(win, menubox_attr);
    wmove(win, choice, 0);
    for (i = 0; i < menu_width; i++)
	waddch(win, ' ');
    wmove(win, choice, tag_x);
    wattrset(win, selected ? tag_key_selected_attr : tag_key_attr);
    waddch(win, tag[0]);
                ^^^^^^ when tag==NULL, dialog(1) segfaults
>How-To-Repeat:
Type:
	dialog --menu "" 15 40 "" "" off

Now press 'Down' arrow key and dialog segfaults

Here is gdb(1) output:

# gdb `which dialog` dialog.core
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by Wialog'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libdialog.so.4...done.
Reading symbols from /usr/lib/libncurses.so.5...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x28070ce6 in print_item (win=0x8050400, tag=0x0,
    item=0xbfbffc6f "MACHTYPE=i386", choice=1, selected=1, me=0x0,
    menu_width=34, tag_x=14, item_x=16)
    at /usr/src/gnu/lib/libdialog/menubox.c:450
450         waddch(win, tag[0]);
(gdb) bt
#0  0x28070ce6 in print_item (win=0x8050400, tag=0x0,
    item=0xbfbffc6f "MACHTYPE=i386", choice=1, selected=1, me=0x0,
    menu_width=34, tag_x=14, item_x=16)
    at /usr/src/gnu/lib/libdialog/menubox.c:450
#1  0x28070762 in dialog_menu (title=0x0, prompt=0xbfbffc62 "", height=15,
    width=40, menu_height=0, cnt=1, it=0xbfbffb68, result=0xbfbff2fc "",
    ch=0x0, sc=0x0) at /usr/src/gnu/lib/libdialog/menubox.c:300
#2  0x80490d6 in main (argc=8, argv=0xbfbffb50)
    at /usr/src/gnu/usr.bin/dialog/dialog.c:262
#3  0x80489ed in _start ()

>Fix:
Perhaps, add some checks? I have no experience with ncurses.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->eric 
Responsible-Changed-By: murray 
Responsible-Changed-When: Fri Aug 31 11:51:28 PDT 2001 
Responsible-Changed-Why:  
Eric was working on this code recently.  Perhaps he can add in a simple check? 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28221 

From: Eugene Grosbein <eugen@kuzbass.ru>
To: bug-followup@freebsd.org
Cc: eric@freebsd.org
Subject: Re: bin/28221: dialog(1) segfaults (due to the bug in libdialog?)
Date: Tue, 04 Feb 2003 16:56:30 +0700

 Hi!
 
 It still segfaults in 4.7-STABLE.
 Any ideas?
 
 Eugene Grosbein

From: Eric Melville <eric@FreeBSD.org>
To: Eugene Grosbein <eugen@kuzbass.ru>
Cc: bug-followup@freebsd.org
Subject: Re: bin/28221: dialog(1) segfaults (due to the bug in libdialog?)
Date: Tue, 4 Feb 2003 13:30:52 -0800

 > It still segfaults in 4.7-STABLE.
 > Any ideas?
 
 Yes, I can easily fix this. The reason it hasn't been fixed and this
 report has been going stale is because it's really a reminder of a much
 larger problem. That is, libdialog is chock full of these things, and
 some of them are security concerns.
 
 I can fix this one problem and close this one bug, but we're really
 just playing whack-a-mole with the thing.
 
 It's probably a lost cause, but has anyone else got any better ideas?
State-Changed-From-To: open->closed 
State-Changed-By: eric 
State-Changed-When: Wed Feb 25 17:53:18 PST 2004 
State-Changed-Why:  
A simple check was added, ignoring other similar problems in libdialog. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=28221 
>Unformatted:
