From bkoenig@cs.tu-berlin.de  Sat Jun 18 10:44:06 2005
Return-Path: <bkoenig@cs.tu-berlin.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2887916A41C
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 18 Jun 2005 10:44:06 +0000 (GMT)
	(envelope-from bkoenig@cs.tu-berlin.de)
Received: from mail.efacilitas.de (efacilitas.de [213.133.110.227])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AB07C43D48
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 18 Jun 2005 10:44:05 +0000 (GMT)
	(envelope-from bkoenig@cs.tu-berlin.de)
Received: from eurystheus.local (port-212-202-169-37.dynamic.qsc.de [212.202.169.37])
	by mail.efacilitas.de (Postfix) with ESMTP id 2855B123978
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 18 Jun 2005 12:42:28 +0200 (CEST)
Received: from localhost (eurystheus.local [192.168.1.67])
	by eurystheus.local (Postfix) with ESMTP id 2478D12B0E7
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 18 Jun 2005 12:42:36 +0200 (CEST)
Received: from eurystheus.local ([192.168.1.67])
 by localhost (eurystheus.locaL [192.168.1.67]) (amavisd-new, port 10024)
 with ESMTP id 83907-06 for <FreeBSD-gnats-submit@freebsd.org>;
 Sat, 18 Jun 2005 12:42:31 +0200 (CEST)
Received: from hoppel.local (eurystheus.local [192.168.1.67])
	by eurystheus.local (Postfix) with SMTP id 443E512B0E5
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 18 Jun 2005 12:42:31 +0200 (CEST)
Received: by hoppel.local (sSMTP sendmail emulation); Sat, 18 Jun 2005 12:42:31 +0200
Message-Id: <20050618104231.443E512B0E5@eurystheus.local>
Date: Sat, 18 Jun 2005 12:42:31 +0200
From: "Bjrn Knig" <bkoenig@cs.tu-berlin.de>
Reply-To: Bjrn Knig <bkoenig@cs.tu-berlin.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: small bug in libedit might cause abnormal program termination
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         82381
>Category:       kern
>Synopsis:       [patch] small bug in libedit might cause abnormal program termination
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    stefanf
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 18 10:50:15 GMT 2005
>Closed-Date:    Mon Jan 09 18:08:48 GMT 2006
>Last-Modified:  Mon Jan 09 18:08:48 GMT 2006
>Originator:     Bjrn Knig
>Release:        
>Organization:
>Environment:
>Description:
	libedit covers several vi and emacs functions and stores
	descriptions about them in a structure called el_func_help
	which will be generated automatically. This structure is
	terminated by { NULL, 0, NULL } as customary to have an
   	exit condition for use with loops. The problem is that
	the map_init function in lib/libedit/map.c do not respect
	this null-termination. It allocates memory for only N
	functions, but N+1 is necessary to include the termination.
	You'll get a segmentation fault in certain cases.
	
>How-To-Repeat:
	Set a language explicitly if you don't have set any.

	   > setenv LANG en_US.ISO8859-1

	Run a shell with built-in emacs command line editor.

	   > sh -E

	List all editor commands.

	   $ bind -l 2>/dev/null
	   Segmentation fault (core dumped)

>Fix:

--- libedit::map.c.diff begins here ---
--- src/lib/libedit/map.c.orig	Sat Jun 18 11:42:22 2005
+++ src/lib/libedit/map.c	Sat Jun 18 12:00:08 2005
@@ -917,11 +917,11 @@
 	el->el_map.vic = el_map_vi_command;
 	el->el_map.vii = el_map_vi_insert;
 	el->el_map.help = (el_bindings_t *) el_malloc(sizeof(el_bindings_t) *
-	    EL_NUM_FCNS);
+	    (EL_NUM_FCNS + 1));
 	if (el->el_map.help == NULL)
 		return (-1);
 	(void) memcpy(el->el_map.help, help__get(),
-	    sizeof(el_bindings_t) * EL_NUM_FCNS);
+	    sizeof(el_bindings_t) * (EL_NUM_FCNS + 1));
 	el->el_map.func = (el_func_t *)el_malloc(sizeof(el_func_t) *
 	    EL_NUM_FCNS);
 	if (el->el_map.func == NULL)
--- libedit::map.c.diff ends here ---


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->stefanf 
Responsible-Changed-By: stefanf 
Responsible-Changed-When: Sat Aug 6 14:50:40 GMT 2005 
Responsible-Changed-Why:  
Over to me. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=82381 
State-Changed-From-To: open->patched 
State-Changed-By: stefanf 
State-Changed-When: Mon Aug 8 07:11:01 GMT 2005 
State-Changed-Why:  
Committed to -current, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=82381 
State-Changed-From-To: patched->closed 
State-Changed-By: stefanf 
State-Changed-When: Mon Jan 9 18:08:40 UTC 2006 
State-Changed-Why:  
Also fixed in RELENG_{5,6}.  Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=82381 
>Unformatted:
