From c5b3acf218ecdf5abcfaa829a0e8f192865f040f Mon Sep 17 00:00:00 2001 From: Ed Schouten Date: Sat, 15 Aug 2015 08:42:33 +0000 Subject: [PATCH] Stop parsing digits if the value already exceeds USHRT_MAX. There is no need for us to support parsing values that are larger than the maximum terminal window size. In this case that would be the maximum of unsigned short. The problem with parsing larger values is that they can cause integer overflows when adjusting the cursor position, leading to all sorts of failing assertions. PR: 202326 Reported by: kcwu csie org MFC after: 1 month --- sys/teken/teken.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/sys/teken/teken.c b/sys/teken/teken.c index 3002a88c882f..ef50e50035ae 100644 --- a/sys/teken/teken.c +++ b/sys/teken/teken.c @@ -29,12 +29,14 @@ #include #if defined(__FreeBSD__) && defined(_KERNEL) #include +#include #include #include #define teken_assert(x) MPASS(x) #else /* !(__FreeBSD__ && _KERNEL) */ #include #include +#include #include #include #include @@ -405,18 +407,21 @@ teken_state_numbers(teken_t *t, teken_char_t c) teken_assert(t->t_curnum < T_NUMSIZE); if (c >= '0' && c <= '9') { - /* - * Don't do math with the default value of 1 when a - * custom number is inserted. - */ if (t->t_stateflags & TS_FIRSTDIGIT) { + /* First digit. */ t->t_stateflags &= ~TS_FIRSTDIGIT; - t->t_nums[t->t_curnum] = 0; - } else { - t->t_nums[t->t_curnum] *= 10; + t->t_nums[t->t_curnum] = c - '0'; + } else if (t->t_nums[t->t_curnum] < USHRT_MAX) { + /* + * Screen positions are stored as unsigned + * shorts. There is no need to continue parsing + * input once the value exceeds USHRT_MAX. It + * would only allow for integer overflows when + * performing arithmetic on the cursor position. + */ + t->t_nums[t->t_curnum] = + t->t_nums[t->t_curnum] * 10 + c - '0'; } - - t->t_nums[t->t_curnum] += c - '0'; return (1); } else if (c == ';') { if (t->t_stateflags & TS_FIRSTDIGIT)