screen_w and screen_h in talker.c don't work well if TERM is NULL
I've said this before but I though I should open it as a proper issue. There doesn't seem to be any immediate problems other than causing some issues for users who are doing weird things in their shells.
In init_termcap in main.c if getenv("TERM") returns NULL then g_boTermCap is set to 0 (as expected).
In screen_w (and screen_h) in talker.c if g_boTermCap is 0 the first thing that happens is it sets szCols to getenv("COLUMNS") then run atoi on the result (if it's not null). As gcc treats atoi as a base 10 strol the output is now a signed integer which can be returned.
The first problem lies in the line
szCols = getenv("COLUMNS");
COLUMNS is a shell variable not an environmental variable. You can see it's not in the output if you run env on silver. In fact the only time that getenv("COLUMNS") won't return null for the user is if the user exported and environmental variable COLUMNS before running mw. This method will not work for getting terminal size.
The second problem is that there is an assumption that the variable the user submitted is realistic value. Most strings will get cleaned by the strol based implementation of atoi. However negative integers are still valid and there is nothing to check that the result before it it returned. This isn't documented and might cause problems in other places of mw that assume screen_w and screen_h will always greater than 0.
e.g
uri_list_display in uri.c contains the following:
width = screen_w();
if(width > MAXTEXTLENGTH - 1) {
width = MAXTEXTLENGTH - 1;
}
url_line[width]='\0';
The assumption that screen_w returns a positive result here is used. It is only checked that the result is not greater than MAXTEXTLENGTH, it is not checked to make sure that it is greater than 0. The element of url_line at index width is then accessed.
Testing: In practice some if the mw code I haven't found tries to reset some shell variables. A user attempting to exploit this in any way would have to do something like export TERM=NULL export COLUMNS="-1000" readonly COLUMNS="-1000"