From 43a48f53d42a5de21e0a6eb6783863051ad8862a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Ekl=C3=B6f?= Date: Thu, 13 Oct 2022 17:52:34 +0200 Subject: [PATCH] =?UTF-8?q?sixel:=20don=E2=80=99t=20crash=20when=20sixel?= =?UTF-8?q?=20image=20exceeds=20current=20sixel=20max=20height?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When we try to resize a sixel past the current max height, we set col > image-width to signal this. This means ‘width’ could be smaller than ‘col’. When calculating how many sixels to emit in sixel_add_many(), we didnt’ account for this. The resulting value was -1, converted to ‘unsigned’. I.e. a very large value. This resulted in an assert triggering in sixel_add() in debug builds, and a crash in release builds. --- CHANGELOG.md | 1 + sixel.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f97cb252..cf6a2104 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -88,6 +88,7 @@ built-in terminfo (accessed via XTGETTCAP). * Crash when interactively resizing the window with a very large scrollback. +* Crash when a sixel image exceeds the current sixel max height. [1173]: https://codeberg.org/dnkl/foot/issues/1173 diff --git a/sixel.c b/sixel.c index c80a92a3..a824c405 100644 --- a/sixel.c +++ b/sixel.c @@ -1295,7 +1295,7 @@ sixel_add_many(struct terminal *term, uint8_t c, unsigned count) if (unlikely(col + count - 1 >= width)) { resize_horizontally(term, col + count); width = term->sixel.image.width; - count = min(count, width - col); + count = min(count, max(width - col, 0)); } uint32_t color = term->sixel.color;