[EGIT] [apps/terminology] master 01/02: fix buffer overflows. Closes T1050

Wed, 05 Mar 2014 13:51:46 -0800 

billiob pushed a commit to branch master.

http://git.enlightenment.org/apps/terminology.git/commit/?id=f47eb5e4105e00cfd2cd91ceabe3e2bb95476ca3

commit f47eb5e4105e00cfd2cd91ceabe3e2bb95476ca3
Author: Boris Faure <[email protected]>
Date:   Wed Mar 5 22:23:13 2014 +0100

    fix buffer overflows. Closes T1050
---
 src/bin/termptyesc.c | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/src/bin/termptyesc.c b/src/bin/termptyesc.c
index 9ebd348..2a62bae 100644
--- a/src/bin/termptyesc.c
+++ b/src/bin/termptyesc.c
@@ -52,7 +52,7 @@ _csi_arg_get(Eina_Unicode **ptr)
 }
 
 static void
-_handle_cursor_control(Termpty *ty, Eina_Unicode *cc)
+_handle_cursor_control(Termpty *ty, const Eina_Unicode *cc)
 {
    switch (*cc)
      {
@@ -337,19 +337,25 @@ _handle_esc_csi_color_set(Termpty *ty, Eina_Unicode **ptr)
 static int
 _handle_esc_csi(Termpty *ty, const Eina_Unicode *c, Eina_Unicode *ce)
 {
-   Eina_Unicode *cc;
    int arg, i;
+   const Eina_Unicode *cc, *be;
    Eina_Unicode buf[4096], *b;
 
    cc = (Eina_Unicode *)c;
    b = buf;
-   while ((cc < ce) && (*cc <= '?'))
+   be = buf + sizeof(buf) / sizeof(buf[0]);
+   while ((cc < ce) && (*cc <= '?') && (b < be))
      {
         _handle_cursor_control(ty, cc);
         *b = *cc;
         b++;
         cc++;
      }
+   if (b == be)
+     {
+        ERR("csi parsing overflowed, skipping the whole buffer (binary 
data?)");
+        return cc - c;
+     }
    if (cc == ce) return 0;
    *b = 0;
    b = buf;
@@ -1026,14 +1032,15 @@ unhandled:
 static int
 _handle_esc_xterm(Termpty *ty, const Eina_Unicode *c, Eina_Unicode *ce)
 {
-   const Eina_Unicode *cc;
+   const Eina_Unicode *cc, *be;
    Eina_Unicode buf[4096], *b;
    char *s;
    int len = 0;
-   
+
    cc = c;
    b = buf;
-   while ((cc < ce) && (*cc != ST) && (*cc != BEL))
+   be = buf + sizeof(buf) / sizeof(buf[0]);
+   while ((cc < ce) && (*cc != ST) && (*cc != BEL) && (b < be))
      {
         if ((cc < ce - 1) && (*cc == ESC) && (*(cc + 1) == '\\'))
           {
@@ -1044,6 +1051,11 @@ _handle_esc_xterm(Termpty *ty, const Eina_Unicode *c, 
Eina_Unicode *ce)
         b++;
         cc++;
      }
+   if (b == be)
+     {
+        ERR("xterm parsing overflowed, skipping the whole buffer (binary 
data?)");
+        return cc - c;
+     }
    *b = 0;
    if ((*cc == ST) || (*cc == BEL) || (*cc == '\\')) cc++;
    else return 0;
@@ -1167,7 +1179,7 @@ _handle_esc_dcs(Termpty *ty EINA_UNUSED, const 
Eina_Unicode *c, const Eina_Unico
    cc = c;
    b = buf;
    be = buf + sizeof(buf) / sizeof(buf[0]);
-   while ((cc < ce) && (*cc != ST) && b != be)
+   while ((cc < ce) && (*cc != ST) && (b < be))
      {
         if ((cc < ce - 1) && (*cc == ESC) && (*(cc + 1) == '\\'))
           {

--

Reply via email to