Debian Bug report logs - #64713
xterm: ICH escape sequences not range checked -> segfault [UPSTREAM]

Package: xterm; Maintainer for xterm is Debian X Strike Force <debian-x@lists.debian.org>; Source for xterm is src:xterm.

Reported by: Austin Donnelly <and1000@debian.org>

Date: Fri, 26 May 2000 12:54:56 UTC

Severity: normal

Done: Jordi Mallach <jordi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Branden Robinson <branden@debian.org>:
Bug#64713; Package xterm. Full text and rfc822 format available.

Acknowledgement sent to Austin Donnelly <and1000@debian.org>:
New Bug report received and forwarded. Copy sent to Branden Robinson <branden@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Austin Donnelly <and1000@debian.org>
To: submit@bugs.debian.org
Subject: xterm: ICH escape sequences not range checked -> segfault
Date: Fri, 26 May 2000 11:21:31 +0100 (BST)
Package: xterm
Version: X11R6.4, public-patch-3; also seems present in XFree86-4.0 src

This is a repeat of a bug report I file with <xbugs@opengroup.org>, on
26th April 2000, but I haven't had any response from them.  Hence I'm
also sticking it in the Debian bug database, and hopefully you nice
guys will forward it upstream and chase it up for me.

Thanks,
Austin
------------------------------------------------------------
     VERSION:

R6.4, public-patch-3

     CLIENT MACHINE and OPERATING SYSTEM:

Linux 2.3.2 Red Hat Linux release 6.1 (Cartman) i686

     DISPLAY TYPE:

NCD 88K NCDware V3.3.2 19c, also reproducible using XFree86-3.3.5
server.

     WINDOW MANAGER:

fvwm or fvwm2

     COMPILER:

gcc version 2.95.2 19991024 (release)

     AREA:

xterm

     SYNOPSIS:

xterm doesn't range-check ICH (insert char) escape codes fully enough:
it segfaults if you try to insert more blanks than the xterm is wide.


     DESCRIPTION:

Bash (and I suppose readline is the real culprit) can in some
circumstances generate illegal escape sequences which ask xterm to
insert more blanks than the xterm is wide.  This leads to a segfault,
usually in memmove().  A typical backtrace looks like:

(gdb) run
Starting program: /anfs/scratch/cquest/and1000/xc400/programs/xterm/xterm 
Program received signal SIGSEGV, Segmentation fault.
0x401e8eb5 in memmove () at ../sysdeps/generic/memmove.c:108
108     ../sysdeps/generic/memmove.c: No such file or directory.
(gdb) bt
#0  0x401e8eb5 in memmove () at ../sysdeps/generic/memmove.c:108
#1  0x805fb23 in ScrnInsertChar (screen=0x8090c0c, n=86, size=45)
    at screen.c:540
#2  0x8062658 in InsertChar (screen=0x8090c0c, n=86) at util.c:535
#3  0x804fa1c in VTparse () at charproc.c:1311
#4  0x8053478 in VTRun () at charproc.c:3929
#5  0x806821b in main (argc=0, argv=0xbffff244) at main.c:1935

Xterm should not crash due to invalid escape sequences being echoed at
it.  Of course, the real bug is in bash/readline generating the broken
sequences in the first place.  Nevertheless, xterm should be more
robust.


     REPEAT BY:

From within an 80 character wide xterm:
$ echo -e '\033[85@'

This causes xterms from XFree86-3.3.5 and XFree86-4.0 to dump core.


     SAMPLE FIX:

*** util.c~     Wed Mar  1 01:21:01 2000
--- util.c      Wed Apr 26 23:20:21 2000
***************
*** 1,5 ****
--- 1,6 ----
  /*
   *    $XConsortium: util.c /main/33 1996/12/01 23:47:10 swick $
+  *    InsertChar() range check added 26 Apr 2000, Austin_Donnelly@yahoo.co.uk
   *    $XFree86: xc/programs/xterm/util.c,v 3.51 2000/02/29 03:09:30 dawes Exp 
$
   */
  
***************
*** 499,504 ****
--- 500,507 ----
        if(screen->cursor_state)
                HideCursor();
        screen->do_wrap = 0;
+       if (screen->cur_col + n > screen->max_col)
+           n = screen->max_col - screen->cur_col;
        if(screen->cur_row - screen->topline <= screen->max_row) {
            if(!AddToRefresh(screen)) {
                int col = screen->max_col + 1 - n;






Changed Bug title. Request was from Branden Robinson <branden@ecn.purdue.edu> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Jordi Mallach <jordi@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Austin Donnelly <and1000@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at 64713-done@bugs.debian.org (full text, mbox):

From: Jordi Mallach <jordi@debian.org>
To: branden@debian.org, jordi@debian.org
Cc: 74737-done@bugs.debian.org, 67571-done@bugs.debian.org, 65478-done@bugs.debian.org, 65127-done@bugs.debian.org, 64713-done@bugs.debian.org, 64228-done@bugs.debian.org, 64014-done@bugs.debian.org, 59040-done@bugs.debian.org, 67229-done@bugs.debian.org, 57065-done@bugs.debian.org, 55738-done@bugs.debian.org, 55688-done@bugs.debian.org, 55105-done@bugs.debian.org, 51143-done@bugs.debian.org, 43809-done@bugs.debian.org, 46102-done@bugs.debian.org, 44669-done@bugs.debian.org, 43152-done@bugs.debian.org, 42164-done@bugs.debian.org, 41652-done@bugs.debian.org, 39930-done@bugs.debian.org, 37761-done@bugs.debian.org, 30052-done@bugs.debian.org, 28856-done@bugs.debian.org, 27183-done@bugs.debian.org, 25689-done@bugs.debian.org, 25688-done@bugs.debian.org, 54840-done@bugs.debian.org, 44930-done@bugs.debian.org, 62609-done@bugs.debian.org, 72235-done@bugs.debian.org, 35557-done@bugs.debian.org
Subject: Xterm cleanup for X4
Date: Thu, 9 Nov 2000 20:51:58 +0100
[Message part 1 (text/plain, inline)]
[ Repost]

Nice list of dead bugs. All of these Xterm bugs should be fixed with the
arrival of XFree86 4.0.1 packages.
If you think this is a mistake, please reopen your bug.
An brief explanation of each bug is below.

Jordi
--

## To Reassign
# This is not Xterm, but it's true that rxvt is not working anymore.
#67790: Ctrl+ and Ctrl- seem broken 

## To Close
# Tested, important
#74737: xterm fails to deal with the numeric keypad properly under lynx
#close 74737

# Tested
#67571: freezes on binary input
#close 67571

# Submitter says no bug
#65478: xterm: Xterm colors and keypad behavior are changed
#close 65478

# Xresources broken in 3.3.6-7
#65127: home/end keys don't work with xterm 3.3.6-7
#close 65127

# Fixed already in 3.3.6-8
#64713: xterm: ICH escape sequences not range checked -> segfault [UPSTREAM] 
#close 64713

# Fixed in X4
#64228: the case of the reversing xterm
#close 64228

# Fixed in X4
#64014: console brken on exit
#close 64014

# Fixed somewhere between 3.3.6-3 and X4.
#59040: vim and nvi do not resize 
#close 59040

# Fixed in 3.3.6-10
#67229: xterm: backspace and colour stopped working
#close 67229

# This can't be a bug.
#57065: xterm: ctrl-mouse button menus do not appear 
#close 57065

# Branden tagged these as Fixed in X4.0a
#55738: xterm: remote visual bell turns off xterm attribute [FIXED in XFree86 4.0a]
#55688: xterm: vim and nvi don't work with keypad numbers [FIXED in XFree86 4.0a]
#55105: xterm: does not accept ^- for an undefined tty control character [FIXED in XFree86 4.0a] 
#51143: xterm: cannot chown /dev/pts/3 to 0,0: No such file or directory [FIXED in XFree86 4.0a]
#43809: xterm: the reverse video checkmark stays on [FIXED in XFree86 4.0a]
#49714: xterm: Errors when run as root with /dev/pts # Merged with 51143
#close 55738
#close 55688
#close 55105
#close 51143
#close 43809

# Fixed in 3.3.6-1
#46102: xterm: locale 'Compose' information is incorrect
#close 46102

# Ancient, fixed bug
#44669: Resizing fails after iconify/deiconify when using activeIcon 
#close 44669

# We use $TERM=xterm now
#43152: TERM-Value of xterm 
#close 43152

# Ancient, fixed bug (tested with hu_HU)
#42164: xterm & rxvt vs. some locales
#close 42164

# Can't reproduce
#41652: bug: bugview borks my xterm screen
#close 41652

# This should be fixed at this point
#39930: xterm: ignores $XUSERFILESEARCHPATH [UPSTREAM]
#close 39930

# Tv maintains Xtermset
#37761: Please add xtermset
#close 37761

# Reverse video thing again
#30052: xterm: Problems with reverse video 
#close 30052

# Don't believe this applies still
#29363: xterm segmentation faults in some cases
#close 29363

# Ancient, fixed bug
#28856: xterm: Del works like Backspace in xterm-debian 
#close 28856

# No xterm-debian anymore
#27183: rxvt: Uses xterm-debian 
#close 27183

# Same, xterm-debian problems
#25689: xbase: Delete mapping in Xresources wrong if connecting from remote
#25688: xbase: termname should be set in app-defaults file rather than in Xresources
#close 25689
#close 25688

# Fixed in X4 wishlists
#54840: xterm: should have a default translation for ISO_Left_Tab [FIXED in XFree86 4.0a]
#44930: xterm: feature request: wait "hit RETURN" on child exit [FIXED in XFree86 4.0a]
#close 54840
#close 44930

# m2 tested this.
#62609: xterm: doesn't display non-breaking spaces (octal 240 in ISO 8859-1)
#close 62609

# Same as 54840
#72235: xterm: Please add terminfo binding for backtab
#close 72235

# Waiting for info, but -bd should be enough.
#35557: xterm: menu border always black, regardless of background [UPSTREAM]
#close 35557

## On hold, waiting for submitter reply (or Branden's confirmation)
#39964: xterm: window resizing problems [UPSTREAM] 
#37517: xterm: binary files can cause xterm to hang and dump into the printer queue with printerCommand [UPSTREAM]

## No clue // Untested // No opinion
#35386: xterm: -C option should read from /dev/xconsole, not /dev/console 
#24876: xbase: xterm's loginShell ressource should be set to true by default. 
# But this could be bash, or whatever, as Branden can't tickle it.
#19538: xterm resize no longer works fully

-- 
Jordi Mallach Pérez || jordi@pusa.informat.uv.es || Rediscovering Freedom,
   aka Oskuro in    || jordi@sindominio.net      || Using Debian GNU/Linux
 Reinos de Leyenda  || jordi@debian.org          || http://debian.org

http://sindominio.net  GnuPG public information:      pub  1024D/917A225E 
telnet pusa.uv.es 23   73ED 4244 FD43 5886 20AC  2644 2584 94BA 917A 225E
[Message part 2 (application/pgp-signature, inline)]

Message #13 received at 64713-done@bugs.debian.org (full text, mbox):

From: Jordi Mallach <jordi@debian.org>
To: 74737-done@bugs.debian.org, 67571-done@bugs.debian.org, 65478-done@bugs.debian.org, 65127-done@bugs.debian.org, 64713-done@bugs.debian.org, 64228-done@bugs.debian.org, 64014-done@bugs.debian.org, 59040-done@bugs.debian.org, 67229-done@bugs.debian.org, 57065-done@bugs.debian.org, 55738-done@bugs.debian.org, 55688-done@bugs.debian.org, 55105-done@bugs.debian.org, 51143-done@bugs.debian.org, 43809-done@bugs.debian.org, 46102-done@bugs.debian.org, 44669-done@bugs.debian.org, 43152-done@bugs.debian.org, 42164-done@bugs.debian.org, 41652-done@bugs.debian.org, 39930-done@bugs.debian.org, 37761-done@bugs.debian.org, 30052-done@bugs.debian.org, 28856-done@bugs.debian.org, 27183-done@bugs.debian.org, 25689-done@bugs.debian.org, 25688-done@bugs.debian.org, 54840-done@bugs.debian.org, 44930-done@bugs.debian.org, 62609-done@bugs.debian.org, 72235-done@bugs.debian.org, 35557-done@bugs.debian.org
Subject: Xterm cleanup for X4
Date: Thu, 9 Nov 2000 03:38:04 +0100
[Message part 1 (text/plain, inline)]
Nice list of dead bugs. All of these Xterm bugs should be fixed with the
arrival of XFree86 4.0.1 packages.
If you think this is a mistake, please reopen your bug.
An brief explanation of each bug is below.

Jordi
--

## To Reassign
# This is not Xterm, but it's true that rxvt is not working anymore.
#67790: Ctrl+ and Ctrl- seem broken 

## To Close
# Tested, important
#74737: xterm fails to deal with the numeric keypad properly under lynx
#close 74737

# Tested
#67571: freezes on binary input
#close 67571

# Submitter says no bug
#65478: xterm: Xterm colors and keypad behavior are changed
#close 65478

# Xresources broken in 3.3.6-7
#65127: home/end keys don't work with xterm 3.3.6-7
#close 65127

# Fixed already in 3.3.6-8
#64713: xterm: ICH escape sequences not range checked -> segfault [UPSTREAM] 
#close 64713

# Fixed in X4
#64228: the case of the reversing xterm
#close 64228

# Fixed in X4
#64014: console brken on exit
#close 64014

# Fixed somewhere between 3.3.6-3 and X4.
#59040: vim and nvi do not resize 
#close 59040

# Fixed in 3.3.6-10
#67229: xterm: backspace and colour stopped working
#close 67229

# This can't be a bug.
#57065: xterm: ctrl-mouse button menus do not appear 
#close 57065

# Branden tagged these as Fixed in X4.0a
#55738: xterm: remote visual bell turns off xterm attribute [FIXED in XFree86 4.0a]
#55688: xterm: vim and nvi don't work with keypad numbers [FIXED in XFree86 4.0a]
#55105: xterm: does not accept ^- for an undefined tty control character [FIXED in XFree86 4.0a] 
#51143: xterm: cannot chown /dev/pts/3 to 0,0: No such file or directory [FIXED in XFree86 4.0a]
#43809: xterm: the reverse video checkmark stays on [FIXED in XFree86 4.0a]
#49714: xterm: Errors when run as root with /dev/pts # Merged with 51143
#close 55738
#close 55688
#close 55105
#close 51143
#close 43809

# Fixed in 3.3.6-1
#46102: xterm: locale 'Compose' information is incorrect
#close 46102

# Ancient, fixed bug
#44669: Resizing fails after iconify/deiconify when using activeIcon 
#close 44669

# We use $TERM=xterm now
#43152: TERM-Value of xterm 
#close 43152

# Ancient, fixed bug (tested with hu_HU)
#42164: xterm & rxvt vs. some locales
#close 42164

# Can't reproduce
#41652: bug: bugview borks my xterm screen
#close 41652

# This should be fixed at this point
#39930: xterm: ignores $XUSERFILESEARCHPATH [UPSTREAM]
#close 39930

# Tv maintains Xtermset
#37761: Please add xtermset
#close 37761

# Reverse video thing again
#30052: xterm: Problems with reverse video 
#close 30052

# Don't believe this applies still
#29363: xterm segmentation faults in some cases
#close 29363

# Ancient, fixed bug
#28856: xterm: Del works like Backspace in xterm-debian 
#close 28856

# No xterm-debian anymore
#27183: rxvt: Uses xterm-debian 
#close 27183

# Same, xterm-debian problems
#25689: xbase: Delete mapping in Xresources wrong if connecting from remote
#25688: xbase: termname should be set in app-defaults file rather than in Xresources
#close 25689
#close 25688

# Fixed in X4 wishlists
#54840: xterm: should have a default translation for ISO_Left_Tab [FIXED in XFree86 4.0a]
#44930: xterm: feature request: wait "hit RETURN" on child exit [FIXED in XFree86 4.0a]
#close 54840
#close 44930

# m2 tested this.
#62609: xterm: doesn't display non-breaking spaces (octal 240 in ISO 8859-1)
#close 62609

# Same as 54840
#72235: xterm: Please add terminfo binding for backtab
#close 72235

# Waiting for info, but -bd should be enough.
#35557: xterm: menu border always black, regardless of background [UPSTREAM]
#close 35557

## On hold, waiting for submitter reply (or Branden's confirmation)
#39964: xterm: window resizing problems [UPSTREAM] 
#37517: xterm: binary files can cause xterm to hang and dump into the printer queue with printerCommand [UPSTREAM]

## No clue // Untested // No opinion
#35386: xterm: -C option should read from /dev/xconsole, not /dev/console 
#24876: xbase: xterm's loginShell ressource should be set to true by default. 
# But this could be bash, or whatever, as Branden can't tickle it.
#19538: xterm resize no longer works fully

-- 
Jordi Mallach Pérez || jordi@pusa.informat.uv.es || Rediscovering Freedom,
   aka Oskuro in    || jordi@sindominio.net      || Using Debian GNU/Linux
 Reinos de Leyenda  || jordi@debian.org          || http://debian.org

http://sindominio.net  GnuPG public information:      pub  1024D/917A225E 
telnet pusa.uv.es 23   73ED 4244 FD43 5886 20AC  2644 2584 94BA 917A 225E
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 14:48:26 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.