diff options
| author | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2022-02-21 09:05:41 +0000 |
|---|---|---|
| committer | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2022-02-21 09:05:41 +0000 |
| commit | 57768bbb154c2879d34ec20e401b19472e77aaf7 (patch) | |
| tree | bcbd0e74d3115be436fe7078eee6733e043d863f /app/xterm | |
| parent | 4f39d8fa71746466b878ca7748d9ff57c80508d2 (diff) | |
Merge Upstream fix for buffer overflow in sixel code.
This code is not compiled on OpenBSD so the shipped xterm are not
vulnerable to this (which is CVE-2022-24130)
Committing the fix in case someone uses this for builds with sixel enabled.
Diffstat (limited to 'app/xterm')
| -rw-r--r-- | app/xterm/graphics_sixel.c | 31 |
1 files changed, 22 insertions, 9 deletions
diff --git a/app/xterm/graphics_sixel.c b/app/xterm/graphics_sixel.c index 8d580b71c..ebdecda21 100644 --- a/app/xterm/graphics_sixel.c +++ b/app/xterm/graphics_sixel.c @@ -1,8 +1,8 @@ -/* $XTermId: graphics_sixel.c,v 1.29 2021/08/10 00:39:26 tom Exp $ */ +/* $XTermId: graphics_sixel.c,v 1.31 2022/01/31 08:53:42 tom Exp $ */ /* - * Copyright 2014-2020,2021 by Ross Combs - * Copyright 2014-2020,2021 by Thomas E. Dickey + * Copyright 2014-2021,2022 by Ross Combs + * Copyright 2014-2021,2022 by Thomas E. Dickey * * All Rights Reserved * @@ -149,7 +149,7 @@ init_sixel_background(Graphic *graphic, SixelContext const *context) graphic->color_registers_used[context->background] = 1; } -static void +static Boolean set_sixel(Graphic *graphic, SixelContext const *context, int sixel) { const int mh = graphic->max_height; @@ -170,7 +170,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel) ((color != COLOR_HOLE) ? (unsigned) graphic->color_registers[color].b : 0U))); for (pix = 0; pix < 6; pix++) { - if (context->col < mw && context->row + pix < mh) { + if (context->col >= 0 && + context->col < mw && + context->row + pix >= 0 && + context->row + pix < mh) { if (sixel & (1 << pix)) { if (context->col + 1 > graphic->actual_width) { graphic->actual_width = context->col + 1; @@ -183,8 +186,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel) } } else { TRACE(("sixel pixel %d out of bounds\n", pix)); + return False; } } + return True; } static void @@ -462,8 +467,12 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string) init_sixel_background(graphic, &context); graphic->valid = 1; } - if (sixel) - set_sixel(graphic, &context, sixel); + if (sixel) { + if (!set_sixel(graphic, &context, sixel)) { + context.col = 0; + break; + } + } context.col++; } else if (ch == '$') { /* DECGCR */ /* ignore DECCRNLM in sixel mode */ @@ -531,8 +540,12 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string) if (sixel) { int i; for (i = 0; i < Pcount; i++) { - set_sixel(graphic, &context, sixel); - context.col++; + if (set_sixel(graphic, &context, sixel)) { + context.col++; + } else { + context.col = 0; + break; + } } } else { context.col += Pcount; |