blob: 2bc9a59beaf307a448c9d71440b41f477a45c8b8 [file] [log] [blame]
Bug: 45713
How to reproduce:
Run this command inside screen
$ printf '\x1b[10000000T'
screen will recursively call MScrollV to depth n/256.
This is time consuming and will overflow stack if n is huge.
Fixes CVE-2015-6806
Upstream-Status: Backport
Signed-off-by: Kuang-che Wu <kcwu@csie.org>
Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
Signed-off-by: Maxin B. John <maxin.john@intel.com>
---
diff -Naur screen-4.3.1-orig/ansi.c screen-4.3.1/ansi.c
--- screen-4.3.1-orig/ansi.c 2015-06-29 00:22:55.000000000 +0300
+++ screen-4.3.1/ansi.c 2015-10-06 13:13:58.297648039 +0300
@@ -2502,13 +2502,13 @@
return;
if (n > 0)
{
+ if (ye - ys + 1 < n)
+ n = ye - ys + 1;
if (n > 256)
{
MScrollV(p, n - 256, ys, ye, bce);
n = 256;
}
- if (ye - ys + 1 < n)
- n = ye - ys + 1;
#ifdef COPY_PASTE
if (compacthist)
{
@@ -2562,15 +2562,15 @@
}
else
{
- if (n < -256)
- {
- MScrollV(p, n + 256, ys, ye, bce);
- n = -256;
- }
n = -n;
if (ye - ys + 1 < n)
n = ye - ys + 1;
+ if (n > 256)
+ {
+ MScrollV(p, - (n - 256), ys, ye, bce);
+ n = 256;
+ }
ml = p->w_mlines + ye;
/* Clear lines */
for (i = ye; i > ye - n; i--, ml--)