From 2ffbd5b5f05dded1564ba32a6a00b0b417439b2f Mon Sep 17 00:00:00 2001 From: nicm Date: Tue, 25 Aug 2015 15:00:05 +0000 Subject: [PATCH] When searching for tabs, start from screen width, fixes out-of-bounds read found by Kuang-che Wu. --- input.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/input.c b/input.c index 095816c3..7a334810 100644 --- a/input.c +++ b/input.c @@ -1199,6 +1199,7 @@ input_csi_dispatch(struct input_ctx *ictx) struct screen *s = sctx->s; struct input_table_entry *entry; int n, m; + u_int cx; if (ictx->flags & INPUT_DISCARD) return (0); @@ -1217,12 +1218,16 @@ input_csi_dispatch(struct input_ctx *ictx) switch (entry->type) { case INPUT_CSI_CBT: /* Find the previous tab point, n times. */ + cx = s->cx; + if (cx > screen_size_x(s) - 1) + cx = screen_size_x(s) - 1; n = input_get(ictx, 0, 1, 1); - while (s->cx > 0 && n-- > 0) { + while (cx > 0 && n-- > 0) { do - s->cx--; - while (s->cx > 0 && !bit_test(s->tabs, s->cx)); + cx--; + while (cx > 0 && !bit_test(s->tabs, cx)); } + s->cx = cx; break; case INPUT_CSI_CUB: screen_write_cursorleft(sctx, input_get(ictx, 0, 1, 1));