From a012c2fb3efbac49b4333a62cfd7cc1df9ee6aef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Ekl=C3=B6f?= Date: Wed, 26 May 2021 13:59:32 +0200 Subject: [PATCH] term: fix crash when an OSC-8 URI wraps around the scrollback Long OSC-8 URIs, that are split up over multiple rows, are handled by emitting one URI range on each row the URL touches. This was done by initializing a row index variable, and then incrementing it each loop iteration. This caused an out-of-bounds array access when the row index reached the maximum number of scrollback lines. The fix is simple: make sure the row index variable wraps around, instead of incrementing without any bounds. Closes #552 --- CHANGELOG.md | 2 ++ terminal.c | 10 ++++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d0a7bc13..f15f47d4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -133,6 +133,8 @@ * Regression where `+shift+tab` always produced `\E[Z` instead of the correct `\E[27;;9~` sequence (https://codeberg.org/dnkl/foot/issues/547). +* Crash when a line wrapping OSC-8 URI crossed the scrollback wrap + around (https://codeberg.org/dnkl/foot/issues/552). ### Security diff --git a/terminal.c b/terminal.c index 06eac0d6..8a7dd826 100644 --- a/terminal.c +++ b/terminal.c @@ -3084,7 +3084,7 @@ term_osc8_close(struct terminal *term) int r = start.row; int start_col = start.col; - do { + while (true) { int end_col = r == end.row ? end.col : term->cols - 1; struct row *row = term->grid->rows[r]; @@ -3121,7 +3121,13 @@ term_osc8_close(struct terminal *term) } #endif start_col = 0; - } while (r++ != end.row); + + if (r == end.row) + break; + + r++; + r &= term->grid->num_rows - 1; + } done: free(term->vt.osc8.uri);