Description: Fix crash on multuple initialisation when TERMCAP set
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837868
Forwarded: No
Reviewed-By: Alastair McKinstry <mckinstry@debian.org>
Last-Update: 2016-09-23

Index: slang2-2.3.2/src/sltermin.c
===================================================================
--- slang2-2.3.2.orig/src/sltermin.c
+++ slang2-2.3.2/src/sltermin.c
@@ -591,13 +591,10 @@ static int tcap_getent (SLCONST char *te
    if (NULL == (buf = (unsigned char *) SLmalloc (ulen)))
      return -1;
 
-   b = buf;
-
    /* The beginning of the termcap entry contains the names of the entry.
     * It is terminated by a colon.
     */
 
-   ti->terminal_names = (char *) b;
    t = termcap;
    len = tcap_extract_field (t);
    if (len < 0)
@@ -605,9 +602,9 @@ static int tcap_getent (SLCONST char *te
 	SLfree ((char *)buf);
 	return -1;
      }
-   strncpy ((char *) b, (char *) t, (unsigned int) len);
-   b[len] = 0;
-   b += len + 1;
+   ti->terminal_names = SLmalloc (len + 1);
+   strncpy (ti->terminal_names, (char *) t, (unsigned int) len);
+   ti->terminal_names[len] = 0;
    ti->name_section_size = len;
 
    /* Now, we are really at the start of the termcap entries.  Point the
@@ -616,7 +613,7 @@ static int tcap_getent (SLCONST char *te
    termcap = t + (len + 1);
 
    /* Process strings first. */
-   ti->string_table = (char *) b;
+   b = buf;
    t = termcap;
    while (-1 != (len = tcap_extract_field (t)))
      {
@@ -642,6 +639,7 @@ static int tcap_getent (SLCONST char *te
 		  t = (unsigned char *) _pSLexpand_escaped_char ((char *) t, (char *) tmax, &wch, NULL);
 		  if (t == NULL)
 		    {
+		       SLfree (ti->terminal_names);
 		       SLfree ((char *)buf);
 		       return -1;
 		    }
@@ -662,12 +660,14 @@ static int tcap_getent (SLCONST char *te
 	/* skip colon to next field. */
 	t++;
      }
-   ti->string_table_size = (int) (b - (unsigned char *) ti->string_table);
+   ti->string_table_size = (int) (b - buf);
+   ti->string_table = SLmalloc (ti->string_table_size);
+   memcpy (ti->string_table, buf, ti->string_table_size);
 
    /* Now process the numbers. */
 
    t = termcap;
-   ti->numbers = b;
+   b = buf;
    while (-1 != (len = tcap_extract_field (t)))
      {
 	unsigned char *b1;
@@ -692,11 +692,13 @@ static int tcap_getent (SLCONST char *te
 	b1[2] = (unsigned char) len;    /* replace the # by the length */
 	t++;
      }
-   ti->num_numbers = (b - ti->numbers);
+   ti->num_numbers = (b - buf);
+   ti->numbers = SLmalloc (ti->num_numbers);
+   memcpy (ti->numbers, buf, ti->num_numbers);
 
    /* Now process the flags. */
    t = termcap;
-   ti->boolean_flags = b;
+   b = buf;
    while (-1 != (len = tcap_extract_field (t)))
      {
 	/* We are looking for: XX#NUMBER */
@@ -710,7 +712,10 @@ static int tcap_getent (SLCONST char *te
 	t += 3;
 	b += 2;
      }
-   ti->boolean_section_size = (b - ti->boolean_flags);
+   ti->boolean_section_size = (b - buf);
+   ti->boolean_flags = SLmalloc (ti->boolean_section_size);
+   memcpy (ti->boolean_flags, buf, ti->boolean_section_size);
+   SLfree ((char *)buf);
    return 0;
 }