mirrors/foot
1
0
Fork 0
mirror of https://codeberg.org/dnkl/foot.git synced 2026-05-29 21:38:03 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

csi: DECCRA: clamp and verify destination rectangle coordinates

Browse source 
dst_right was already being clamped, but not dst_left.

In addition to that, reject the sequence if dst_left > dst_right, or
dst_bottom > dst_top.

This is already being done for the source rectangle, in
params_to_rectangular_area().

Closes #2352
This commit is contained in:
Daniel Eklöf 2026-05-22 11:39:04 +02:00
parent 2eaa7beba1
commit b18d8aa2f1
No known key found for this signature in database
GPG key ID: 5BBD4992C116573F
2 changed files with 17 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

3
CHANGELOG.md
View file

@ -79,8 +79,11 @@
* Out-of-bounds read when parsing URIs with malformed %-encoded * Out-of-bounds read when parsing URIs with malformed %-encoded
content ([#2353][2353]). content ([#2353][2353]).
* DECCRA not clamping or verifying the destination rectangle
([#2352][2352]).
[2353]: https://codeberg.org/dnkl/foot/issues/2353 [2353]: https://codeberg.org/dnkl/foot/issues/2353
[2352]: https://codeberg.org/dnkl/foot/issues/2352
### Security ### Security

17
csi.c
View file

@ -774,7 +774,7 @@ params_to_rectangular_area(const struct terminal *term, int first_idx,
int rel_bottom = vt_param_get(term, first_idx + 2, term->rows) - 1; int rel_bottom = vt_param_get(term, first_idx + 2, term->rows) - 1;
*right = min(vt_param_get(term, first_idx + 3, term->cols) - 1, term->cols - 1); *right = min(vt_param_get(term, first_idx + 3, term->cols) - 1, term->cols - 1);
if (rel_top > rel_bottom || *left > *right) if (unlikely(rel_top > rel_bottom || *left > *right))
return false; return false;
*top = term_row_rel_to_abs(term, rel_top); *top = term_row_rel_to_abs(term, rel_top);
@ -2005,9 +2005,8 @@ csi_dispatch(struct terminal *term, uint8_t final)
} }
int src_page = vt_param_get(term, 4, 1); int src_page = vt_param_get(term, 4, 1);
int dst_rel_top = vt_param_get(term, 5, 1) - 1; int dst_rel_top = vt_param_get(term, 5, 1) - 1;
int dst_left = vt_param_get(term, 6, 1) - 1; int dst_left = min(vt_param_get(term, 6, 1) - 1, term->cols - 1);
int dst_page = vt_param_get(term, 7, 1); int dst_page = vt_param_get(term, 7, 1);
if (unlikely(src_page != 1 || dst_page != 1)) { if (unlikely(src_page != 1 || dst_page != 1)) {
@ -2021,6 +2020,18 @@ csi_dispatch(struct terminal *term, uint8_t final)
int dst_top = term_row_rel_to_abs(term, dst_rel_top); int dst_top = term_row_rel_to_abs(term, dst_rel_top);
int dst_bottom = term_row_rel_to_abs(term, dst_rel_bottom); int dst_bottom = term_row_rel_to_abs(term, dst_rel_bottom);
if (unlikely(dst_left > dst_right || dst_bottom > dst_top))
break;
/*
* src validated by params_to_rectangular_area()
* dst validated above
*/
xassert(src_bottom - src_top >= 0);
xassert(dst_bottom - dst_top >= 0);
xassert(src_right - src_left >= 0);
xassert(dst_right - dst_left >= 0);
/* Target area outside the screen is clipped */ /* Target area outside the screen is clipped */
const size_t row_count = min(src_bottom - src_top, const size_t row_count = min(src_bottom - src_top,
dst_bottom - dst_top) + 1; dst_bottom - dst_top) + 1;