#112 FreeDOS EDIT 0.9a (0.9.1.0) - Interrupt vector trashing bug?

open
None
5
2014-07-11
2013-10-26
Arjay
No

Version 0.9a of FreeDOS EDIT.EXE and version 0.7 appear under at least 1 scenario to trash Interrupt 01h (SINGLE STEP) + Interrupt 02h (NON-MASKABLE INTERRUPT) and fail to correctly restore their values on exit. In the case of Interrupt 02h the value it is set to is "tled".

Example steps to review the bug:
1) Download and extract IVTUTIL.EXE (http://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/util/system/ivtutil/ )
2) c:\edittest>IVTUTIL MEM B4EDIT.TXT
3) c:\edittest>IVTUTIL MEM B4EDIT.DAT
4) c:\edittest>EDIT
5) Within EDIT select "File", "New"
6) Within EDIT select "File", "Exit"
7) c:\edittest>IVTUTIl MEM AFTREDIT.TXT
8) c:\edittest>IVTUTIl MEM AFTREDIT.DAT
9) Compare the contents of B4EDIT.TXT and AFTREDIT.TXT (text file)
10) Compare the contents of B4EDIT.DAT and AFTREDIT.DAT (binary data)

There should be any differences if EDIT.EXE is correctly restoring Interrupts.

e.g. For me under under DOSBox:

B4EDIT.TXT
INT VECTOR POINTS TO
--- ------ ---------
$00 F000:1060
$01 0070:0008
$02 0070:0008
$03 0070:0008

vs

AFTREDIT.TXT
INT VECTOR POINTS TO
--- ------ ---------
$00 F000:1060
$01 6465:6C74
$02 0070:0000
$03 0070:0008

If you review the binary data, e.g. AFTREDIT.DAT
-d [interupt00][interupt01][interupt02][interupt03]
xxxx:0100 60 10 00 F0 74 6C 65 64-00 00 70 00 08 00 70 00 `...tled..p...p.

Interrupt 01h is set to 6465:6C74 which in binary is "tled" presumably from the default window name of "Untitled". It looks like EDIT.EXE has a pointer with a null segment causing the overwriting of the Interrupt Vector Table.

I have started a discussion on the BTTR forum:
http://www.bttr-software.de/forum/mix_entry.php?id=13151

Discussion

  • Eric Auer
    Eric Auer
    2013-11-01

    the BTTR forum says, EDIT "new file" would trash
    data in IVT, 0:4 to 0:8 to be exact, by putting
    the string "Untitled" at 0:0 and then restoring
    only 0:0 to 0:3. Interestingly, because DEBUG
    installs an int 1 vector and EDIT restores the
    int 0 vector at exit, you do not notice in DEBUG
    but it does show in dosemu + dosdebug for 0.7d:

    Before starting EDIT:

    d 0 10

    00000000 DB 10 D3 00 A6 10 D3 00 02 C0 00 F0 A6 10 D3 00 [.S.&.S..@.p&.S.

    EDIT running without text windows:

    d 0 10

    00000000 25 01 AD 03 A6 10 D3 00 02 C0 00 F0 A6 10 D3 00 %.-.&.S..@.p&.S.

    Opened new file:

    d 0 10

    00000000 55 6E 74 69 74 6C 65 64 00 C0 00 F0 A6 10 D3 00 Untitled.@.p&.S.

    After leaving edit:

    d 0 10

    00000000 DB 10 D3 00 74 6C 65 64 00 C0 00 F0 A6 10 D3 00 [.S.tled.@.p&.S.

    So indeed there is a problem when opening a new file. Opening
    existing files (command line or via menu) does not trigger it
    nor does opening calendar or ascii table. Only the menu item
    to make a new untitled text edit window triggers this.

    The string shows at edit.c:
    NewFile(WINDOW wnd, char *FileName) {
    OpenPadWindow(wnd, Untitled, FileName); }

    where Untitled is a global string:
    static char Untitled[] = "Untitled";
    (also at several strcmp in edit.c with Untitled as 2nd argument)

    and in applicat.c,:
    static char *WindowName(WINDOW wnd) {
    ... which returns the inlined string "Untitled" for non-
    dialog, null-titled windows which is apparently used to
    generate a list of open windows, copying the string to:

    Menus[MenuNo]+4 with strncpy length 20
    where Menus is a 9 element array with nine
    "~1. "
    style strings as initial content.

    So... What is going wrong?

    I would guess edit.c calling NewFile(wnd,NULL) for new files?
    However, OpenPadWindow checks if the 3rd argument is null...

    Maybe you can find out where this is going wrong? Thanks!