mirrors/foot
1
0
Fork 0
mirror of https://codeberg.org/dnkl/foot.git synced 2026-02-05 04:06:08 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

dcs: prevent possibility of out-of-bounds reads in decrqss()

Browse source 
This could be triggered by running, for example:

    printf '\033P$qrxyz\033\\'

...which would cause a memcmp() of 4 bytes on a 2 byte string literal.

Fixes: #960
This commit is contained in:
Craig Barnes 2022-03-02 19:05:51 +00:00
parent 7d647c08ff
commit cc8e86fd2d
1 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
dcs.c
View file

@ -240,7 +240,7 @@ decrqss(struct terminal *term)
* https://github.com/hackerb9/vt340test/issues/13 * https://github.com/hackerb9/vt340test/issues/13
*/ */
if (memcmp(query, "r", n) == 0) { if (n == 1 && query[0] == 'r') {
/* DECSTBM - Set Top and Bottom Margins */ /* DECSTBM - Set Top and Bottom Margins */
char reply[64]; char reply[64];
int len = snprintf(reply, sizeof(reply), "\033P1$r%d;%dr\033\\", int len = snprintf(reply, sizeof(reply), "\033P1$r%d;%dr\033\\",
@ -249,7 +249,7 @@ decrqss(struct terminal *term)
term_to_slave(term, reply, len); term_to_slave(term, reply, len);
} }
else if (memcmp(query, "m", n) == 0) { else if (n == 1 && query[0] == 'm') {
/* SGR - Set Graphic Rendition */ /* SGR - Set Graphic Rendition */
char *reply = NULL; char *reply = NULL;
size_t len = 0; size_t len = 0;
@ -356,7 +356,7 @@ decrqss(struct terminal *term)
free(reply); free(reply);
} }
else if (memcmp(query, " q", n) == 0) { else if (n == 2 && memcmp(query, " q", 2) == 0) {
/* DECSCUSR - Set Cursor Style */ /* DECSCUSR - Set Cursor Style */
int mode; int mode;
@ -376,7 +376,7 @@ decrqss(struct terminal *term)
} }
else { else {
const char err[] = "\033P0$r\033\\"; static const char err[] = "\033P0$r\033\\";
term_to_slave(term, err, sizeof(err) - 1); term_to_slave(term, err, sizeof(err) - 1);
} }
} }