From nobody@FreeBSD.org  Wed Jun 30 19:21:24 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0912716A4F2
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 30 Jun 2004 19:21:24 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 02F4043D2F
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 30 Jun 2004 19:21:24 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i5UJL38W074780
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 30 Jun 2004 19:21:03 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i5UJL3KE074779;
	Wed, 30 Jun 2004 19:21:03 GMT
	(envelope-from nobody)
Message-Id: <200406301921.i5UJL3KE074779@www.freebsd.org>
Date: Wed, 30 Jun 2004 19:21:03 GMT
From: Daniel Simeone <traser@isn.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Resizing 'top' running in a terminal to one column width causes a seg. fault in 'top'
X-Send-Pr-Version: www-2.3

>Number:         68527
>Category:       bin
>Synopsis:       Resizing 'top' running in a terminal to one column width causes a seg. fault in 'top'
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 30 19:30:23 GMT 2004
>Closed-Date:    Fri Feb 15 18:10:00 UTC 2008
>Last-Modified:  Fri Feb 15 18:10:00 UTC 2008
>Originator:     Daniel Simeone
>Release:        FreeBSD 5.2.1-RELEASE-p8
>Organization:
>Environment:
FreeBSD dyna167-231.acadiau.ca 5.2.1-RELEASE-p8 FreeBSD 5.2.1-RELEASE-p8 #0: Fri Jun 11 09:24:56 ADT 2004     traser@dyna167-231.acadiau.ca:/usr/obj/usr/src/sys/CRAPTOP  i386
>Description:
In several graphical terminal programs, resizing a window running the standard application 'top' (which is capable of reacting to a resized terminal) causes top to crash, with a seg fault being given off.
>How-To-Repeat:
Start up an xterm, an aterm or another similar graphical terminal (does not affect konsole, as konsole does not allow such radical resizing), run the program 'top,' resize to a width of one-column, and 'top' will segfault.
>Fix:
      
>Release-Note:
>Audit-Trail:

From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: Daniel Simeone <traser@isn.net>
Cc: bug-followup@freebsd.org
Subject: Re: bin/68527: Resizing 'top' running in a terminal to one column width causes a seg. fault in 'top'
Date: Thu, 1 Jul 2004 00:24:31 +0300

 On 2004-06-30 19:21, Daniel Simeone <traser@isn.net> wrote:
 > Start up an xterm, an aterm or another similar graphical terminal
 > (does not affect konsole, as konsole does not allow such radical
 > resizing), run the program 'top,' resize to a width of one-column,
 > and 'top' will segfault.
 
 I can repeat this.  A backtrace from top compiled with CFLAGS="-ggdb" is
 shown below:
 
 : giorgos@gothmog:/tmp$ gdb ./top top.core
 : GNU gdb 6.1.1 [FreeBSD]
 : Copyright 2004 Free Software Foundation, Inc.
 : GDB is free software, covered by the GNU General Public License, and you are
 : welcome to change it and/or distribute copies of it under certain conditions.
 : Type "show copying" to see the conditions.
 : There is absolutely no warranty for GDB.  Type "show warranty" for details.
 : This GDB was configured as "i386-marcel-freebsd"...
 : Core was generated by `top'.
 : Program terminated with signal 11, Segmentation fault.
 : Reading symbols from /lib/libncurses.so.5...done.
 : Loaded symbols for /lib/libncurses.so.5
 : Reading symbols from /lib/libm.so.2...done.
 : Loaded symbols for /lib/libm.so.2
 : Reading symbols from /lib/libkvm.so.2...done.
 : Loaded symbols for /lib/libkvm.so.2
 : Reading symbols from /lib/libc.so.5...done.
 : Loaded symbols for /lib/libc.so.5
 : Reading symbols from /libexec/ld-elf.so.1...done.
 : Loaded symbols for /libexec/ld-elf.so.1
 : #0  0x0804f01b in strecpy (to=0x800 <Address 0x800 out of bounds>, from=0x80534a0 "")
 :     at /usr/src/contrib/top/utils.c:153
 : 153         while ((*to++ = *from++) != '\0');
 : (gdb) bt
 : #0  0x0804f01b in strecpy (to=0x800 <Address 0x800 out of bounds>, from=0x80534a0 "")
 :     at /usr/src/contrib/top/utils.c:153
 : #1  0x0804aac7 in i_process (line=0, thisline=0x80534a0 "") at /usr/src/contrib/top/display.c:697
 : #2  0x0804df0c in main (argc=1, argv=0xbfbfe974) at /usr/src/contrib/top/top.c:624
 : (gdb)
 
 The bug is caused by various parts of the top source that set the
 variable screen_width to (columns - 1) where `columns' is the width of
 the current terminal.  This subtraction is probably an attempt to avoid
 messing up the output window on terminals that have automatic right
 margin and wrapping capabilities.  It has a nasty side effect though in
 display.c near line 117 where a buffer is allocated to hold a memory
 image of the screen window:
 
     display.c:117:    screenbuf = (char *)malloc(lines * display_width);
 
 When the terminal width is 1 column, screen_width is zero (one less).
 malloc() is called with an argument of zero and returns whatever the
 current settings of /etc/malloc.conf or the default of malloc() happens
 to be set to (either a NULL pointer or a minimal allocation area).
 
 Of course writing to this buffer, which top later does, is wrong.  The
 crash stops if display_width never drops to 0 columns:
 
 --- patch start ---
 Index: display.c
 ===================================================================
 RCS file: /home/ncvs/src/contrib/top/display.c,v
 retrieving revision 1.7
 diff -u -r1.7 display.c
 --- display.c	11 Aug 2002 18:37:25 -0000	1.7
 +++ display.c	30 Jun 2004 21:02:46 -0000
 @@ -108,7 +108,7 @@
         modules make static allocations based on MAX_COLS and we don't want
         to run off the end of their buffers */
      display_width = screen_width;
 -    if (display_width >= MAX_COLS)
 +    if (display_width <= 0 || display_width >= MAX_COLS)
      {
  	display_width = MAX_COLS - 1;
      }
 --- patch end ---
 
 A more serious attempt at fixing top to work correctly with any terminal
 type would require looking at "am" and "YE" capabilities, fixing
 screen_width and display_width to one less column only if absolutely
 necessary.  This patch doesn't fix the other 'hidden' bug of top that
 results in garbage being printed for too low values of screen_width,
 but at least it avoids the crashes.
 
 - Giorgos
 

From: Volker <volker@vwsoft.com>
To: bug-followup@FreeBSD.org, traser@isn.net
Cc:  
Subject: Re: bin/68527: Resizing 'top' running in a terminal to one column
 width causes a seg. fault in 'top'
Date: Fri, 15 Feb 2008 18:20:27 +0100

 Daniel,
 
 unfortunately I'm unable to reproduce your issue. Using an xterm and
 running top in it, xterm doesn't let me reduce the width to less than 5
 chars.
 
 Do you still see this issue? If not, can we close this PR?
 
 Thank you!
State-Changed-From-To: open->feedback 
State-Changed-By: linimon 
State-Changed-When: Fri Feb 15 17:35:51 UTC 2008 
State-Changed-Why:  
Note that submitter has been asked for feedback. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=68527 
State-Changed-From-To: feedback->closed 
State-Changed-By: linimon 
State-Changed-When: Fri Feb 15 18:08:59 UTC 2008 
State-Changed-Why:  
Followup on IRC notes that this is addressed by the patches in bin/92074. 
Please redirect all followups there. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=68527 
>Unformatted:
