crash report: illegal memory access when parsing invalid xterm color sequence

Emanuele Giaquinta emanuele.giaquinta at gmail.com
Sat Sep 12 15:51:30 CEST 2015


Hi,

On Tue, Sep 08, 2015 at 07:43:18PM +0800, Kuang-che Wu wrote:
> $ rxvt -e sh -c "echo -e '\e]4;;[0\x9c'"
> ASAN:SIGSEGV
> =================================================================
> ==18168==ERROR: AddressSanitizer: SEGV on unknown address 0x601ffd07da10 (pc 0x7f7de1a8aaea bp 0x7ffffd0771b0 sp 0x7ffffd076948 T0)
>     #0 0x7f7de1a8aae9  (/lib/x86_64-linux-gnu/libc.so.6+0x88ae9)
> ... (skip)
> 
> 
> rxvt_color::set (rxvt_screen *screen, const char *name)
> {
>   rgba c;
>   char eos;
>   int skip;
> 
>   c.a = rgba::MAX_CC;
> 
>   // parse the nonstandard "[alphapercent]" prefix
>   if (1 <= sscanf (name, "[%hd]%n", &c.a, &skip))
>     {
>       c.a = lerp<int, int, int> (0, rgba::MAX_CC, c.a);
>       name += skip;
>     }
> 
> The problem is, name="[0". sscanf() parsed |c.a| and return 1, but didn't fill |skip|.
> And |skip| is not initialized. Depends on its value, rxvt may crash later.

fixed, thanks for the report.

Emanuele



More information about the rxvt-unicode mailing list