[New-bugs-announce] [issue47188] ncurses: *** buffer overflow detected ***: terminated with -D_FORTIFY_SOURCE=3

[Martin Liška]

New submission from Martin Liška <marxin.liska at gmail.com>:

Note -D_FORTIFY_SOURCE=3 will come newly with GCC12. So I noticed the following error:

demo.py:
```python
import curses

curses.initscr()
curses.unget_wch('a')
```

Error message:
*** buffer overflow detected ***: terminated

Backtrace:
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo at entry=6, no_tid=no_tid at entry=0) at pthread_kill.c:44
#1  0x00007ffff7d1e1e3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007ffff7cce306 in __GI_raise (sig=sig at entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007ffff7cb7813 in __GI_abort () at abort.c:79
#4  0x00007ffff7d111b7 in __libc_message (action=action at entry=do_abort, fmt=fmt at entry=0x7ffff7e573cf "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
#5  0x00007ffff7db630a in __GI___fortify_fail (msg=msg at entry=0x7ffff7e57375 "buffer overflow detected") at fortify_fail.c:26
#6  0x00007ffff7db48b6 in __GI___chk_fail () at chk_fail.c:28
#7  0x00007ffff7db5be8 in __wcrtomb_chk (s=s at entry=0xaae440 "\376\271\255", wchar=wchar at entry=97 L'a', ps=ps at entry=0x7fffffffd4f0, buflen=buflen at entry=1) at wcrtomb_chk.c:31
#8  0x00007ffff7a18b31 in wcrtomb (__ps=<optimized out>, __wchar=<optimized out>, __s=<optimized out>, __s=<optimized out>, __wchar=<optimized out>, __ps=<optimized out>) at /usr/include/bits/wchar2.h:402
#9  unget_wch_sp (sp=0xab0920, wch=97 L'a') at ../ncurses/./widechar/lib_unget_wch.c:89
#10 0x00007ffff7a18b61 in unget_wch (wch=<optimized out>) at ../ncurses/./widechar/lib_unget_wch.c:113
#11 0x00007ffff7a55be5 in _curses_unget_wch (module=<optimized out>, ch='a') at /home/marxin/Programming/cpython/Modules/_cursesmodule.c:4497
#12 0x00000000006f6669 in cfunction_vectorcall_O (func=<built-in method unget_wch of module object at remote 0x7ffff7a8f4a0>, args=0x7ffff7b355b0, nargsf=<optimized out>, kwnames=0x0) at Objects/methodobject.c:512
#13 0x000000000042d0e8 in _PyObject_VectorcallTstate (kwnames=0x0, nargsf=<optimized out>, args=<optimized out>, callable=<built-in method unget_wch of module object at remote 0x7ffff7a8f4a0>, tstate=<optimized out>) at ./Include/cpython/abstract.h:114
#14 PyObject_Vectorcall (kwnames=0x0, nargsf=<optimized out>, args=<optimized out>, callable=<built-in method unget_wch of module object at remote 0x7ffff7a8f4a0>) at ./Include/cpython/abstract.h:123
#15 call_function (kwnames=0x0, oparg=<optimized out>, pp_stack=<synthetic pointer>, bounds=0x7fffffffd640, tstate=0xa70520) at Python/ceval.c:5379
#16 _PyEval_EvalFrameDefault (tstate=<optimized out>, f=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:3772

So as seen __wcrtomb_chk is called with buflen == 1 and the function aborts if:

size_t
__wcrtomb_chk (char *s, wchar_t wchar, mbstate_t *ps, size_t buflen)
{
  /* We do not have to implement the full wctomb semantics since we
     know that S cannot be NULL when we come here.  */
  if (buflen < MB_CUR_MAX)
    __chk_fail ();

  return __wcrtomb (s, wchar, ps);
}

Where MB_CUR_MAX == 6.

So the question is if the issue is in libcurses library (that is compiler with -D_FORTIFY_SOURCE=3), or in Modules/_cursesmodule.c?

----------
messages: 416495
nosy: Martin Liška
priority: normal
severity: normal
status: open
title: ncurses: *** buffer overflow detected ***: terminated with -D_FORTIFY_SOURCE=3

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue47188>
_______________________________________