From 87e4004960265494fcab21c71fff48b4f8b0af33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Ekl=C3=B6f?= Date: Fri, 22 Jul 2022 10:44:33 +0200 Subject: [PATCH] =?UTF-8?q?csi:=20clamp=20color=20index=20for=20=E2=80=98C?= =?UTF-8?q?SI=2038/48=20;=205=20;=20idx=20m=E2=80=99=20sequences?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Indexed color values are stored in the cell attributes as color indices (into the 256-color table). However, the index from the CSI was not validated in any way, meaning you can do something like this: echo -e ‘\e[38:5:1024m CRASH \e[m’ and foot will crash on an out-of-bounds access. Fix by clamping the color index. Closes #1111 --- CHANGELOG.md | 4 ++++ csi.c | 6 ++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a052d744..7e7aa4a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -82,10 +82,14 @@ support the offered mime-types ([#1092][1092]). * Keyboard enter/leave events being ignored if there is no keymap ([#1097][1097]). +* Crash when application emitted an invalid `CSI 38;5;m`, `CSI + 38:5:m`, `CSI 48;5;m` or `CSI 48:5:m` sequence + ([#1111][1111]). [1055]: https://codeberg.org/dnkl/foot/issues/1055 [1092]: https://codeberg.org/dnkl/foot/issues/1092 [1097]: https://codeberg.org/dnkl/foot/issues/1097 +[1111]: https://codeberg.org/dnkl/foot/issues/1111 ### Security diff --git a/csi.c b/csi.c index 57cae6b3..659839f0 100644 --- a/csi.c +++ b/csi.c @@ -128,7 +128,8 @@ csi_sgr(struct terminal *term) term->vt.params.v[i + 1].value == 5) { src = COLOR_BASE256; - color = term->vt.params.v[i + 2].value; + color = min(term->vt.params.v[i + 2].value, + ALEN(term->colors.table) - 1); i += 2; } @@ -149,7 +150,8 @@ csi_sgr(struct terminal *term) term->vt.params.v[i].sub.value[0] == 5) { src = COLOR_BASE256; - color = term->vt.params.v[i].sub.value[1]; + color = min(term->vt.params.v[i].sub.value[1], + ALEN(term->colors.table) - 1); } /*