New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crash when using scroll markers and system menu user commands #1174
Comments
Thanks a lot for the detailed analysis. I have added safeguards at various places which should hopefully prevent the crash condition. I am not quite sure how to prevent start.y from becoming greater than end.y easily in the first place but its consequences are now being caught. Please take a look. How do you actually interpret the stacktrace? I use addr2line but it does not reveal function parameters. |
For the records, the issue was also reproducible with something like
|
Indeed, the fix works perfectly for me. Thank you for a speedy resolution. The stacktrace above is produced by building mintty with DEBUG=1, and then running the resulting executable under gdb, and provoking the crash. |
Released 3.6.2. |
When using scroll markers (the "^[[?7711h" sequence) in the prompt of the shell, mintty crashes when invoking a user command from the extended context menu (as defined with the "CtxMenuFunctions" in .minttyrc).
This happens when the last two lines in the output both contains the marker.
To reproduce, it should be sufficient to set up the shell to use scroll markers in the prompt, start a new mintty and press "return" to get a new prompt line. Then invoke a user command from the context menu. The crash is in the calculation of the "MINTTY_OUTPUT" env.var. value.
This is the stack trace for a debug build of version 3.6.1:
The "sizehint" parameter indicates the problem: it calculates "start" and "end" positions for the text, but here the start position becomes greater than the end position, and the estimate for the size becomes negative. This value is then converted to an unsigned value, and becomes almost 2^64. A memory allocation for this size fails, and the resulting null pointer is used.
It looks like the calculations goes wrong in the function term_get_text() in termclip.c.
Compiling with "debug_user_cmd_clip" defined gives this output for the crash:
The problem is probably in lines 410-420:
The "y++" will bump "start" past "end" here.
The text was updated successfully, but these errors were encountered: