From 9287946b3672d21fabd70ba4aeebc5a63e6259f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Ekl=C3=B6f?= <daniel@ekloef.se>
Date: Wed, 10 Apr 2024 05:44:33 +0200
Subject: [PATCH] dcs: DECRQSS: fix off-by-one when checking for space in the
 DCS buffer

---
 CHANGELOG.md | 2 ++
 dcs.c        | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b0c62d36..f555d472 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -64,6 +64,8 @@
 * When closing the window, send `SIGHUP` to the client application,
   before sending `SIGTERM`. The signal sequence is now `SIGHUP`, wait,
   `SIGTERM`, wait `SIGKILL`.
+* Crash when receiving a `DECRQSS` request with more than 2 bytes in
+  the `q` parameter.
 
 [1666]: https://codeberg.org/dnkl/foot/issues/1666
 
diff --git a/dcs.c b/dcs.c
index c4309459..19cce3c2 100644
--- a/dcs.c
+++ b/dcs.c
@@ -239,7 +239,7 @@ decrqss_put(struct terminal *term, uint8_t c)
         return;
 
     struct vt *vt = &term->vt;
-    if (vt->dcs.idx > 2)
+    if (vt->dcs.idx >= 2)
         return;
     vt->dcs.data[vt->dcs.idx++] = c;
 }