get_termkey can segfault from accessing NULL
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libtickit |
New
|
Undecided
|
Unassigned |
Bug Description
I've stumbled across this while running the POEx::Tickit test cases under Debhelper, which appears to have done something unexpected — redirected stdin from /dev/null.
static TermKey *get_termkey(
{
if(!tt->termkey) {
int flags = 0;
if(tt->is_utf8 == TICKIT_YES)
flags |= TERMKEY_FLAG_UTF8;
else if(tt->is_utf8 == TICKIT_NO)
flags |= TERMKEY_FLAG_RAW;
tt->termkey = termkey_
tt->is_utf8 = !!(termkey_
}
⋮
The problem is that termkey_new can fail (in this case because termkey_start failed), and thus return NULL. Then the next line tries to access tt->termkey, i.e., NULL->termkey, which of course segfaults.
Unfortunately, the fix appears non-trivial as other places seem to presume get_termkey never fails.