More robust control sequence parameter handling.

Parameters are now accumulated in unsigned integers and carefully checked for overflow (which is turned into saturation). Things that consume them now have explicit range checks (again, saturating) to ensure that their inputs are sane. This should make it much harder to cause overflow by supplying ludicrously large numbers. Fixes two bugs found with the help of afl-fuzz. One of them may be exploitable and is CVE-2015-5309.
2025-07-13 09:07:33 -05:00 · 2015-10-07 23:54:39 +01:00
parent f7365a2d57
commit 6056396f77
2 changed files with 44 additions and 7 deletions
--- a/terminal.h
+++ b/terminal.h
@ -172,7 +172,7 @@ struct terminal_tag {
 #define ARGS_MAX 32		       /* max # of esc sequence arguments */
 #define ARG_DEFAULT 0		       /* if an arg isn't specified */
 #define def(a,d) ( (a) == ARG_DEFAULT ? (d) : (a) )
-    int esc_args[ARGS_MAX];
+    unsigned esc_args[ARGS_MAX];
    int esc_nargs;
    int esc_query;
 #define ANSI(x,y)	((x)+((y)<<8))