| Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame] | 1 | Bug: 45713 |
| 2 | |
| 3 | How to reproduce: |
| 4 | Run this command inside screen |
| 5 | $ printf '\x1b[10000000T' |
| 6 | |
| 7 | screen will recursively call MScrollV to depth n/256. |
| 8 | This is time consuming and will overflow stack if n is huge. |
| 9 | |
| 10 | Fixes CVE-2015-6806 |
| 11 | |
| 12 | Upstream-Status: Backport |
| 13 | |
| 14 | Signed-off-by: Kuang-che Wu <kcwu@csie.org> |
| 15 | Signed-off-by: Amadeusz Sławiński <amade@asmblr.net> |
| 16 | Signed-off-by: Maxin B. John <maxin.john@intel.com> |
| 17 | --- |
| 18 | diff -Naur screen-4.3.1-orig/ansi.c screen-4.3.1/ansi.c |
| 19 | --- screen-4.3.1-orig/ansi.c 2015-06-29 00:22:55.000000000 +0300 |
| 20 | +++ screen-4.3.1/ansi.c 2015-10-06 13:13:58.297648039 +0300 |
| 21 | @@ -2502,13 +2502,13 @@ |
| 22 | return; |
| 23 | if (n > 0) |
| 24 | { |
| 25 | + if (ye - ys + 1 < n) |
| 26 | + n = ye - ys + 1; |
| 27 | if (n > 256) |
| 28 | { |
| 29 | MScrollV(p, n - 256, ys, ye, bce); |
| 30 | n = 256; |
| 31 | } |
| 32 | - if (ye - ys + 1 < n) |
| 33 | - n = ye - ys + 1; |
| 34 | #ifdef COPY_PASTE |
| 35 | if (compacthist) |
| 36 | { |
| 37 | @@ -2562,15 +2562,15 @@ |
| 38 | } |
| 39 | else |
| 40 | { |
| 41 | - if (n < -256) |
| 42 | - { |
| 43 | - MScrollV(p, n + 256, ys, ye, bce); |
| 44 | - n = -256; |
| 45 | - } |
| 46 | n = -n; |
| 47 | if (ye - ys + 1 < n) |
| 48 | n = ye - ys + 1; |
| 49 | |
| 50 | + if (n > 256) |
| 51 | + { |
| 52 | + MScrollV(p, - (n - 256), ys, ye, bce); |
| 53 | + n = 256; |
| 54 | + } |
| 55 | ml = p->w_mlines + ye; |
| 56 | /* Clear lines */ |
| 57 | for (i = ye; i > ye - n; i--, ml--) |