From 75e201608ba7aeac87af26906aaaaba55c63b92e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Ekl=C3=B6f?= Date: Fri, 12 Jun 2026 18:09:02 +0200 Subject: [PATCH] sixel: fix NULL deref when using a shared palette and gamma-correct blending This fixes a copy-paste error where we read/modified/wrote the private-palette instead of the shared palette. Since the private palette is NULL in this case, that meant a crash. Closes #2370 --- CHANGELOG.md | 3 +++ sixel.c | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d92676d2..bcf8b5ca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -100,12 +100,15 @@ across the starting column. * Passing a very large value as CHT/CBT argument hangs the terminal ([#2360][2360]). +* Sixel: crash when using a shared palette and gamma-correct blending + has been enabled, or foot is using 10-bit surface ([#2370][2370]). [2353]: https://codeberg.org/dnkl/foot/issues/2353 [2352]: https://codeberg.org/dnkl/foot/issues/2352 [2327]: https://codeberg.org/dnkl/foot/issues/2327 [2379]: https://codeberg.org/dnkl/foot/issues/2379 [2360]: https://codeberg.org/dnkl/foot/issues/2360 +[2370]: https://codeberg.org/dnkl/foot/issues/2370 ### Security diff --git a/sixel.c b/sixel.c index 0c1ccd1b..2bf47b7e 100644 --- a/sixel.c +++ b/sixel.c @@ -169,10 +169,10 @@ sixel_init(struct terminal *term, int p1, int p2, int p3) if (term->sixel.linear_blending || term->sixel.use_10bit) { for (size_t i = 0; i < active_palette_entries; i++) { - uint8_t r = (term->sixel.private_palette[i] >> 16) & 0xff; - uint8_t g = (term->sixel.private_palette[i] >> 8) & 0xff; - uint8_t b = (term->sixel.private_palette[i] >> 0) & 0xff; - term->sixel.private_palette[i] = color_decode_srgb(term, r, g, b); + uint8_t r = (term->sixel.shared_palette[i] >> 16) & 0xff; + uint8_t g = (term->sixel.shared_palette[i] >> 8) & 0xff; + uint8_t b = (term->sixel.shared_palette[i] >> 0) & 0xff; + term->sixel.shared_palette[i] = color_decode_srgb(term, r, g, b); } } } else {