Place an upper bound on the number of iterations for REP.

Right now it's possible to invoke the REP escape sequence with a maximum of tens of millions of iterations. In practice, there is never any need to do this. Calling it more frequently than the number of cells in the terminal hardly makes any sense. By placing a limit on it, we can prevent users from exhausting resources in inside the terminal emulator. As support for this escape sequence is not present in any of the stable branches, there is no need to MFC. Reported by: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11255
svn path=/head/; revision=344309
2019-02-19 21:58:23 +00:00 · 2019-02-19 21:58:23 +00:00 · e06f6f7311 · 2020-12-20 02:59:44 +00:00
commit e06f6f7311
parent 7c27c925f4
1 changed files with 4 additions and 1 deletions
--- a/sys/teken/teken_subr.h
+++ b/sys/teken/teken_subr.h
@ -1337,8 +1337,11 @@ teken_subr_vertical_position_absolute(teken_t *t, unsigned int row)
 static void
 teken_subr_repeat_last_graphic_char(teken_t *t, unsigned int rpts)
 {
+	unsigned int max_repetitions;

+	max_repetitions = t->t_winsize.tp_row * t->t_winsize.tp_col;
+	if (rpts > max_repetitions)
+		rpts = max_repetitions;
 	for (; t->t_last != 0 && rpts > 0; rpts--)
 		teken_subr_regular_character(t, t->t_last);
 }
-