From max@gw.jmrodgers.com  Fri May 15 13:38:57 1998
Received: from gw.jmrodgers.com (gw.jmrodgers.com [205.247.224.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA29955
          for <FreeBSD-gnats-submit@freebsd.org>; Fri, 15 May 1998 13:38:53 -0700 (PDT)
          (envelope-from max@gw.jmrodgers.com)
Received: (from max@localhost)
	by gw.jmrodgers.com (8.8.8/8.8.8) id QAA13142;
	Fri, 15 May 1998 16:38:01 -0400 (EDT)
	(envelope-from max)
Message-Id: <199805152038.QAA13142@gw.jmrodgers.com>
Date: Fri, 15 May 1998 16:38:01 -0400 (EDT)
From: Max Euston <meuston@jmrodgers.com>
Reply-To: Max Euston <meuston@jmrodgers.com>
To: FreeBSD-gnats-submit@freebsd.org
Subject: [Patch] Can get NULL pointer in vidattr (ncurses)
X-Send-Pr-Version: 3.2

>Number:         6648
>Category:       bin
>Synopsis:       [Patch] Can get NULL pointer in vidattr (ncurses)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri May 15 13:40:01 PDT 1998
>Closed-Date:    Fri May 15 14:36:13 PDT 1998
>Last-Modified:  Fri May 15 14:37:09 PDT 1998
>Originator:     Max Euston
>Release:        FreeBSD 2.2.5-STABLE i386
>Organization:
>Environment:

	-STABLE (and -CURRENT) (since revision 1.3)

>Description:

	Low level use of 'vidattr()' can cause a NULL pointer to be
dereferenced.  This is because 'SP' is only initialized via 'newterm()'
(which is not required if you are going to interact with the 'terminfo'
database without using 'ncurses').

>How-To-Repeat:

main()
{
	setupterm(...);
	vidputs(...);		/* This will SIGSEGV */
}

>Fix:
	
diff -u /usr/src/lib/libncurses/lib_vidattr.c ./lib_vidattr.c
--- /usr/src/lib/libncurses/lib_vidattr.c	Tue Sep  2 15:10:19 1997
+++ ./lib_vidattr.c	Fri May 15 14:16:42 1998
@@ -71,13 +71,14 @@
 	}
 }
 
-#define previous_attr SP->_current_attr
-
 int vidputs(chtype newmode, int  (*outc)(int))
 {
-chtype	turn_off = (~newmode & previous_attr) & ~A_COLOR;
-chtype	turn_on  = (newmode & ~previous_attr) & ~A_COLOR;
-int pair, current_pair;
+static chtype  previous_attr=0;
+chtype	turn_off,turn_on;
+int	pair, current_pair;
+
+	if (SP)
+		previous_attr = SP->_current_attr;
 
 	T(("vidputs(%x) called %s", newmode, _traceattr(newmode)));
 	T(("previous attribute was %s", _traceattr(previous_attr)));
@@ -85,6 +86,9 @@
 	if (newmode == previous_attr)
 		return OK;
 
+	turn_off = (~newmode & previous_attr) & ~A_COLOR;
+	turn_on  = (newmode & ~previous_attr) & ~A_COLOR;
+
 	pair = PAIR_NUMBER(newmode);
 	current_pair = PAIR_NUMBER(previous_attr);
 
@@ -184,6 +188,8 @@
    	}
 
 	previous_attr = newmode;
+	if (SP)
+		SP->_current_attr = previous_attr;
 
 	T(("vidputs finished"));
 	return OK;
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ache 
State-Changed-When: Fri May 15 14:36:13 PDT 1998 
State-Changed-Why:  
Thanx, fixed. 
>Unformatted:
