libtickit

get_termkey can segfault from accessing NULL

Bug #1857166 reported by Anthony DeRobertis
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libtickit
New
Undecided
Unassigned

Bug Description

I've stumbled across this while running the POEx::Tickit test cases under Debhelper, which appears to have done something unexpected — redirected stdin from /dev/null.

static TermKey *get_termkey(TickitTerm *tt)
{
  if(!tt->termkey) {
    int flags = 0;
    if(tt->is_utf8 == TICKIT_YES)
      flags |= TERMKEY_FLAG_UTF8;
    else if(tt->is_utf8 == TICKIT_NO)
      flags |= TERMKEY_FLAG_RAW;

    tt->termkey = termkey_new(tt->infd, TERMKEY_FLAG_EINTR | flags);

    tt->is_utf8 = !!(termkey_get_flags(tt->termkey) & TERMKEY_FLAG_UTF8);
  }
  ⋮

The problem is that termkey_new can fail (in this case because termkey_start failed), and thus return NULL. Then the next line tries to access tt->termkey, i.e., NULL->termkey, which of course segfaults.

Unfortunately, the fix appears non-trivial as other places seem to presume get_termkey never fails.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.