| Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame^] | 1 | Upstream-Status: Backport |
| 2 | Signed-off-by: Ross Burton <ross.burton@intel.com> |
| 3 | |
| 4 | From e524b0b3bd8fad844ffa73927c199545b892cdbd Mon Sep 17 00:00:00 2001 |
| 5 | From: Christian Persch <chpe@gnome.org> |
| 6 | Date: Sat, 19 May 2012 19:36:09 +0200 |
| 7 | Subject: [PATCH 1/2] emulation: Limit integer arguments to 65535 |
| 8 | |
| 9 | To guard against malicious sequences containing excessively big numbers, |
| 10 | limit all parsed numbers to 16 bit range. Doing this here in the parsing |
| 11 | routine is a catch-all guard; this doesn't preclude enforcing |
| 12 | more stringent limits in the handlers themselves. |
| 13 | |
| 14 | https://bugzilla.gnome.org/show_bug.cgi?id=676090 |
| 15 | --- |
| 16 | src/table.c | 2 +- |
| 17 | src/vteseq.c | 2 +- |
| 18 | 2 files changed, 2 insertions(+), 2 deletions(-) |
| 19 | |
| 20 | diff --git a/src/table.c b/src/table.c |
| 21 | index 140e8c8..85cf631 100644 |
| 22 | --- a/src/table.c |
| 23 | +++ b/src/table.c |
| 24 | @@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array, |
| 25 | if (G_UNLIKELY (*array == NULL)) { |
| 26 | *array = g_value_array_new(1); |
| 27 | } |
| 28 | - g_value_set_long(&value, total); |
| 29 | + g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT)); |
| 30 | g_value_array_append(*array, &value); |
| 31 | } while (i++ < arginfo->length); |
| 32 | g_value_unset(&value); |
| 33 | diff --git a/src/vteseq.c b/src/vteseq.c |
| 34 | index 7ef4c8c..10991db 100644 |
| 35 | --- a/src/vteseq.c |
| 36 | +++ b/src/vteseq.c |
| 37 | @@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal, |
| 38 | GValueArray *params, |
| 39 | VteTerminalSequenceHandler handler) |
| 40 | { |
| 41 | - vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG); |
| 42 | + vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT); |
| 43 | } |
| 44 | |
| 45 | static void |
| 46 | -- |
| 47 | 2.4.9 (Apple Git-60) |
| 48 | |
| 49 | |
| 50 | From cf1ad453a8def873c49cf6d88162593402f32bb2 Mon Sep 17 00:00:00 2001 |
| 51 | From: Christian Persch <chpe@gnome.org> |
| 52 | Date: Sat, 19 May 2012 20:04:12 +0200 |
| 53 | Subject: [PATCH 2/2] emulation: Limit repetitions |
| 54 | |
| 55 | Don't allow malicious sequences to cause excessive repetitions. |
| 56 | |
| 57 | https://bugzilla.gnome.org/show_bug.cgi?id=676090 |
| 58 | --- |
| 59 | src/vteseq.c | 25 ++++++++++++++++++------- |
| 60 | 1 file changed, 18 insertions(+), 7 deletions(-) |
| 61 | |
| 62 | diff --git a/src/vteseq.c b/src/vteseq.c |
| 63 | index 10991db..209522f 100644 |
| 64 | --- a/src/vteseq.c |
| 65 | +++ b/src/vteseq.c |
| 66 | @@ -1392,7 +1392,7 @@ vte_sequence_handler_dc (VteTerminal *terminal, GValueArray *params) |
| 67 | static void |
| 68 | vte_sequence_handler_DC (VteTerminal *terminal, GValueArray *params) |
| 69 | { |
| 70 | - vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_dc); |
| 71 | + vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_dc); |
| 72 | } |
| 73 | |
| 74 | /* Delete a line at the current cursor position. */ |
| 75 | @@ -1785,7 +1785,7 @@ vte_sequence_handler_reverse_index (VteTerminal *terminal, GValueArray *params) |
| 76 | static void |
| 77 | vte_sequence_handler_RI (VteTerminal *terminal, GValueArray *params) |
| 78 | { |
| 79 | - vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_nd); |
| 80 | + vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_nd); |
| 81 | } |
| 82 | |
| 83 | /* Save cursor (position). */ |
| 84 | @@ -2777,8 +2777,7 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params) |
| 85 | { |
| 86 | GValue *value; |
| 87 | VteScreen *screen; |
| 88 | - long param, end, row; |
| 89 | - int i; |
| 90 | + long param, end, row, i, limit; |
| 91 | screen = terminal->pvt->screen; |
| 92 | /* The default is one. */ |
| 93 | param = 1; |
| 94 | @@ -2796,7 +2795,13 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params) |
| 95 | } else { |
| 96 | end = screen->insert_delta + terminal->row_count - 1; |
| 97 | } |
| 98 | - /* Insert the new lines at the cursor. */ |
| 99 | + |
| 100 | + /* Only allow to insert as many lines as there are between this row |
| 101 | + * and the end of the scrolling region. See bug #676090. |
| 102 | + */ |
| 103 | + limit = end - row + 1; |
| 104 | + param = MIN (param, limit); |
| 105 | + |
| 106 | for (i = 0; i < param; i++) { |
| 107 | /* Clear a line off the end of the region and add one to the |
| 108 | * top of the region. */ |
| 109 | @@ -2817,8 +2822,7 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params) |
| 110 | { |
| 111 | GValue *value; |
| 112 | VteScreen *screen; |
| 113 | - long param, end, row; |
| 114 | - int i; |
| 115 | + long param, end, row, i, limit; |
| 116 | |
| 117 | screen = terminal->pvt->screen; |
| 118 | /* The default is one. */ |
| 119 | @@ -2837,6 +2841,13 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params) |
| 120 | } else { |
| 121 | end = screen->insert_delta + terminal->row_count - 1; |
| 122 | } |
| 123 | + |
| 124 | + /* Only allow to delete as many lines as there are between this row |
| 125 | + * and the end of the scrolling region. See bug #676090. |
| 126 | + */ |
| 127 | + limit = end - row + 1; |
| 128 | + param = MIN (param, limit); |
| 129 | + |
| 130 | /* Clear them from below the current cursor. */ |
| 131 | for (i = 0; i < param; i++) { |
| 132 | /* Insert a line at the end of the region and remove one from |
| 133 | -- |
| 134 | 2.4.9 (Apple Git-60) |
| 135 | |