term: protect against integer overflow when accumulating scroll damage

When accumulating scroll damage, we check if the last scroll damage’s scrolling region, and type, matches the new/current scroll damage. If so, the number of lines in the last scroll damage is increased, instead of adding a new scroll damage instance to the list. If the scroll damage list isn’t consumed, this build up of scroll damage would eventually overflow. And, even if it didn’t overflow, it could become large enough, that when later used to calculate e.g. the affected surface area, while rendering a frame, would cause an overflow there instead. This patch fixes both issues by: a) do an overflow check before increasing the line count b) limit the line count to UINT16_MAX
2026-02-05 04:06:08 -05:00 · 2023-03-28 18:37:41 +02:00 · 2023-03-28 18:37:41 +02:00 · 981e4b77cb
commit 981e4b77cb
parent 7bc22862fa
3 changed files with 13 additions and 7 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -138,6 +138,7 @@
  ([#1288][1288]).
 * Crash when application output scrolls very fast, e.g. `yes`
  ([#1305][1305]).
+* Crash when application scrolls **many** lines (> ~2³¹).

 [1173]: https://codeberg.org/dnkl/foot/issues/1173
 [1190]: https://codeberg.org/dnkl/foot/issues/1190
--- a/terminal.c
+++ b/terminal.c
@ -2252,15 +2252,20 @@ void
 term_damage_scroll(struct terminal *term, enum damage_type damage_type,
                   struct scroll_region region, int lines)
 {
-    if (tll_length(term->grid->scroll_damage) > 0) {
+    if (likely(tll_length(term->grid->scroll_damage) > 0)) {
        struct damage *dmg = &tll_back(term->grid->scroll_damage);

-        if (dmg->type == damage_type &&
-            dmg->region.start == region.start &&
-            dmg->region.end == region.end)
+        if (likely(
+                dmg->type == damage_type &&
+                dmg->region.start == region.start &&
+                dmg->region.end == region.end))
        {
-            dmg->lines += lines;
-            return;
+            /* Make sure we don’t overflow... */
+            int new_line_count = (int)dmg->lines + lines;
+            if (likely(new_line_count <= UINT16_MAX)) {
+                dmg->lines = new_line_count;
+                return;
+            }
        }
    }
    struct damage dmg = {
--- a/terminal.h
+++ b/terminal.h
@ -96,7 +96,7 @@ enum damage_type {DAMAGE_SCROLL, DAMAGE_SCROLL_REVERSE,
 struct damage {
    enum damage_type type;
    struct scroll_region region;
-    int lines;
+    uint16_t lines;
 };

 struct row_uri_range {