From cc8e86fd2d7c2e2527e0c77237ff815888008ac4 Mon Sep 17 00:00:00 2001
From: Craig Barnes <craigbarnes@protonmail.com>
Date: Wed, 2 Mar 2022 19:05:51 +0000
Subject: [PATCH] dcs: prevent possibility of out-of-bounds reads in decrqss()

This could be triggered by running, for example:

    printf '\033P$qrxyz\033\\'

...which would cause a memcmp() of 4 bytes on a 2 byte string literal.

Fixes: #960
---
 dcs.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/dcs.c b/dcs.c
index aafa3ce9..dbd4ead2 100644
--- a/dcs.c
+++ b/dcs.c
@@ -240,7 +240,7 @@ decrqss(struct terminal *term)
      * https://github.com/hackerb9/vt340test/issues/13
      */
 
-    if (memcmp(query, "r", n) == 0) {
+    if (n == 1 && query[0] == 'r') {
         /* DECSTBM - Set Top and Bottom Margins */
         char reply[64];
         int len = snprintf(reply, sizeof(reply), "\033P1$r%d;%dr\033\\",
@@ -249,7 +249,7 @@ decrqss(struct terminal *term)
         term_to_slave(term, reply, len);
     }
 
-    else if (memcmp(query, "m", n) == 0) {
+    else if (n == 1 && query[0] == 'm') {
         /* SGR - Set Graphic Rendition */
         char *reply = NULL;
         size_t len = 0;
@@ -356,7 +356,7 @@ decrqss(struct terminal *term)
         free(reply);
     }
 
-    else if (memcmp(query, " q", n) == 0) {
+    else if (n == 2 && memcmp(query, " q", 2) == 0) {
         /* DECSCUSR - Set Cursor Style */
         int mode;
 
@@ -376,7 +376,7 @@ decrqss(struct terminal *term)
     }
 
     else {
-        const char err[] = "\033P0$r\033\\";
+        static const char err[] = "\033P0$r\033\\";
         term_to_slave(term, err, sizeof(err) - 1);
     }
 }