| |
@@ -0,0 +1,41 @@
|
| |
+ From 6fe3671984fbe073edc38edc0a0e820841bfefa4 Mon Sep 17 00:00:00 2001
|
| |
+ From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net>
|
| |
+ Date: Thu, 30 Jan 2020 17:56:27 +0100
|
| |
+ Subject: [PATCH] Fix out of bounds access when setting w_xtermosc after OSC 49
|
| |
+ MIME-Version: 1.0
|
| |
+ Content-Type: text/plain; charset=UTF-8
|
| |
+ Content-Transfer-Encoding: 8bit
|
| |
+
|
| |
+ echo -e "\e]49\e; \n\ec"
|
| |
+ crashes screen.
|
| |
+
|
| |
+ This happens because 49 is divided by 10 and used as table index
|
| |
+ resulting in access to w_xtermosc[4], which is out of bounds with table
|
| |
+ itself being size 4. Increase size of table by 1 to 5, which is enough
|
| |
+ for all current uses.
|
| |
+
|
| |
+ As this overwrites memory based on user input it is potential security
|
| |
+ issue.
|
| |
+
|
| |
+ Reported-by: pippin@gimp.org
|
| |
+ Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
|
| |
+ ---
|
| |
+ window.h | 2 +-
|
| |
+ 1 file changed, 1 insertion(+), 1 deletion(-)
|
| |
+
|
| |
+ diff --git a/window.h b/window.h
|
| |
+ index bd10dcd..a8afa19 100644
|
| |
+ --- a/window.h
|
| |
+ +++ b/window.h
|
| |
+ @@ -237,7 +237,7 @@ struct win
|
| |
+ char w_vbwait;
|
| |
+ char w_norefresh; /* dont redisplay when switching to that win */
|
| |
+ #ifdef RXVT_OSC
|
| |
+ - char w_xtermosc[4][MAXSTR]; /* special xterm/rxvt escapes */
|
| |
+ + char w_xtermosc[5][MAXSTR]; /* special xterm/rxvt escapes */
|
| |
+ #endif
|
| |
+ int w_mouse; /* mouse mode 0,9,1000 */
|
| |
+ #ifdef HAVE_BRAILLE
|
| |
+ --
|
| |
+ 2.24.1
|
| |
+
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=1801408