Ticket #4627 (accepted defect)
F3 on help screen causes segmentation fault
Reported by: | egmont | Owned by: | andrew_b |
---|---|---|---|
Priority: | minor | Milestone: | 4.8.33 |
Component: | mc-core | Version: | 4.8.31 |
Keywords: | Cc: | ||
Blocked By: | Blocking: | ||
Branch state: | approved | Votes for changeset: | zaytsev |
Description
Forwarding from the beautifully numbered https://bugs.debian.org/1088888:
"""
If I start mc or mcedit, then press F1 followed by F3, the program dies
with a segmentation fault.
I ran across this by accident, so I had no expectations. However, if I
navigate to a different help screen and press F3 ("Prev"), I get back to
the main help screen, and pressing F3 there will have no effect if the
first link is highlighted. The crash only happens if I haven't left the
main help screen since last opening it.
"""
Change History
comment:2 Changed 31 hours ago by egmont
Inside help_interactive_display(), the for loop that initializes history leaves history_ptr at -1.
In help_back(), this value causes an out-of-bounds access to the history array, thus placing random noise in currentpoint and selected_item, the former used subsequently by help_bg_callback() and passed to help_show().
I guess the for loop should use int i as its counter, or reset history_ptr = 0 afterwards. I've verified both to fix the problem. Pick whichever you prefer ;)
comment:3 Changed 21 hours ago by andrew_b
- Status changed from new to accepted
- Owner set to andrew_b
- Branch state changed from no branch to on review
- Milestone changed from Future Releases to 4.8.33
Thanks!
Branch: 4627_help_segfault
changeset:edacd3922268f93a674dfbe6199e30bf4a3d5af6
If I compile with CFLAGS and CPPFLAGS containing either -O0 or -g or both then I don't get a segfault, rather a somewhat weird behavior: the opening help page is scrolled a bit up, the newly focused word "Enter" is at the beginning of the search box.
In the crashing case (default compile options), help_show() is called with paint_start == NULL. In the non-crashing but misbehaving case, help_show() is called with a paint_start that's ~300-ish bytes larger than the first time, i.e. pointing into the middle of the desired help page.
As per the original report, if I navigate to a different page and then come back and then again press F3, no crash or weird behavior happens. Then paint_start is always called with the actual address of the opening page whenever I try to go back from there.
Smells like perhaps an uninitialized variable somewhere in the methods that end up calling help_show() with a corrupt/uninitialized value as parameter?