dcs: prevent possibility of out-of-bounds reads in decrqss()

This could be triggered by running, for example: printf '\033P$qrxyz\033\\' ...which would cause a memcmp() of 4 bytes on a 2 byte string literal. Fixes: #960
2026-02-04 04:06:06 -05:00 · 2022-03-02 19:05:51 +00:00 · 2022-03-02 19:05:51 +00:00 · cc8e86fd2d
commit cc8e86fd2d
parent 7d647c08ff
1 changed files with 4 additions and 4 deletions
--- a/dcs.c
+++ b/dcs.c
@ -240,7 +240,7 @@ decrqss(struct terminal *term)
     * https://github.com/hackerb9/vt340test/issues/13
     */

-    if (memcmp(query, "r", n) == 0) {
+    if (n == 1 && query[0] == 'r') {
        /* DECSTBM - Set Top and Bottom Margins */
        char reply[64];
        int len = snprintf(reply, sizeof(reply), "\033P1$r%d;%dr\033\\",
@ -249,7 +249,7 @@ decrqss(struct terminal *term)
        term_to_slave(term, reply, len);
    }

-    else if (memcmp(query, "m", n) == 0) {
+    else if (n == 1 && query[0] == 'm') {
        /* SGR - Set Graphic Rendition */
        char *reply = NULL;
        size_t len = 0;
@ -356,7 +356,7 @@ decrqss(struct terminal *term)
        free(reply);
    }

-    else if (memcmp(query, " q", n) == 0) {
+    else if (n == 2 && memcmp(query, " q", 2) == 0) {
        /* DECSCUSR - Set Cursor Style */
        int mode;

@ -376,7 +376,7 @@ decrqss(struct terminal *term)
    }

    else {
-        const char err[] = "\033P0$r\033\\";
+        static const char err[] = "\033P0$r\033\\";
        term_to_slave(term, err, sizeof(err) - 1);
    }
 }