From bf7c064c0faba1cb4cf202663658c706080f3372 Mon Sep 17 00:00:00 2001
From: Nicholas Marriott <nicm@cvs.openbsd.org>
Date: Thu, 29 Oct 2020 16:33:02 +0000
Subject: Do not write after the end of the array and overwrite the stack when
 colon-separated SGR sequences contain empty arguments. Reported by Sergey
 Nizovtsev.

---
 usr.bin/tmux/input.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'usr.bin/tmux/input.c')

diff --git a/usr.bin/tmux/input.c b/usr.bin/tmux/input.c
index 0110a6535d3..8f1e2f951a7 100644
--- a/usr.bin/tmux/input.c
+++ b/usr.bin/tmux/input.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: input.c,v 1.183 2020/08/19 06:37:23 nicm Exp $ */
+/* $OpenBSD: input.c,v 1.184 2020/10/29 16:33:01 nicm Exp $ */
 
 /*
  * Copyright (c) 2007 Nicholas Marriott <nicholas.marriott@gmail.com>
@@ -1976,8 +1976,13 @@ input_csi_dispatch_sgr_colon(struct input_ctx *ictx, u_int i)
 				free(copy);
 				return;
 			}
-		} else
+		} else {
 			n++;
+			if (n == nitems(p)) {
+				free(copy);
+				return;
+			}
+		}
 		log_debug("%s: %u = %d", __func__, n - 1, p[n - 1]);
 	}
 	free(copy);
-- 
cgit v1.2.3