summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthieu Herrb <matthieu@cvs.openbsd.org>2022-02-21 09:05:41 +0000
committerMatthieu Herrb <matthieu@cvs.openbsd.org>2022-02-21 09:05:41 +0000
commit57768bbb154c2879d34ec20e401b19472e77aaf7 (patch)
treebcbd0e74d3115be436fe7078eee6733e043d863f
parent4f39d8fa71746466b878ca7748d9ff57c80508d2 (diff)
Merge Upstream fix for buffer overflow in sixel code.
This code is not compiled on OpenBSD so the shipped xterm are not vulnerable to this (which is CVE-2022-24130) Committing the fix in case someone uses this for builds with sixel enabled.
-rw-r--r--app/xterm/graphics_sixel.c31
1 files changed, 22 insertions, 9 deletions
diff --git a/app/xterm/graphics_sixel.c b/app/xterm/graphics_sixel.c
index 8d580b71c..ebdecda21 100644
--- a/app/xterm/graphics_sixel.c
+++ b/app/xterm/graphics_sixel.c
@@ -1,8 +1,8 @@
-/* $XTermId: graphics_sixel.c,v 1.29 2021/08/10 00:39:26 tom Exp $ */
+/* $XTermId: graphics_sixel.c,v 1.31 2022/01/31 08:53:42 tom Exp $ */
/*
- * Copyright 2014-2020,2021 by Ross Combs
- * Copyright 2014-2020,2021 by Thomas E. Dickey
+ * Copyright 2014-2021,2022 by Ross Combs
+ * Copyright 2014-2021,2022 by Thomas E. Dickey
*
* All Rights Reserved
*
@@ -149,7 +149,7 @@ init_sixel_background(Graphic *graphic, SixelContext const *context)
graphic->color_registers_used[context->background] = 1;
}
-static void
+static Boolean
set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
{
const int mh = graphic->max_height;
@@ -170,7 +170,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
((color != COLOR_HOLE)
? (unsigned) graphic->color_registers[color].b : 0U)));
for (pix = 0; pix < 6; pix++) {
- if (context->col < mw && context->row + pix < mh) {
+ if (context->col >= 0 &&
+ context->col < mw &&
+ context->row + pix >= 0 &&
+ context->row + pix < mh) {
if (sixel & (1 << pix)) {
if (context->col + 1 > graphic->actual_width) {
graphic->actual_width = context->col + 1;
@@ -183,8 +186,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
}
} else {
TRACE(("sixel pixel %d out of bounds\n", pix));
+ return False;
}
}
+ return True;
}
static void
@@ -462,8 +467,12 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string)
init_sixel_background(graphic, &context);
graphic->valid = 1;
}
- if (sixel)
- set_sixel(graphic, &context, sixel);
+ if (sixel) {
+ if (!set_sixel(graphic, &context, sixel)) {
+ context.col = 0;
+ break;
+ }
+ }
context.col++;
} else if (ch == '$') { /* DECGCR */
/* ignore DECCRNLM in sixel mode */
@@ -531,8 +540,12 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string)
if (sixel) {
int i;
for (i = 0; i < Pcount; i++) {
- set_sixel(graphic, &context, sixel);
- context.col++;
+ if (set_sixel(graphic, &context, sixel)) {
+ context.col++;
+ } else {
+ context.col = 0;
+ break;
+ }
}
} else {
context.col += Pcount;