Don't truncate cursor arithmetic to 16 bits.

When updating the row number when the cursor position escape sequence is issued, we should make sure to store the intermediate result in a 32-bit integer. If we fail to do this, the cursor may be set above the origin region, which is bad. This could cause libteken to crash when INVARIANTS is enabled, due to the strict set of assertions that libteken has. PR: 202540 Reported by: kcwu csie org MFC after: 1 month
2015-08-21 06:30:13 +00:00 · 2015-08-21 06:30:13 +00:00 · 9a71fa376b
commit 9a71fa376b
parent 328b9e0bca
1 changed files with 6 additions and 6 deletions
--- a/sys/teken/teken_subr.h
+++ b/sys/teken/teken_subr.h
@ -324,13 +324,13 @@ static void
 teken_subr_cursor_position(teken_t *t, unsigned int row, unsigned int col)
 {

-	t->t_cursor.tp_row = t->t_originreg.ts_begin + row - 1;
-	if (t->t_cursor.tp_row >= t->t_originreg.ts_end)
-		t->t_cursor.tp_row = t->t_originreg.ts_end - 1;
+	row = row - 1 + t->t_originreg.ts_begin;
+	t->t_cursor.tp_row = row < t->t_originreg.ts_end ?
+	    row : t->t_originreg.ts_end - 1;

-	t->t_cursor.tp_col = col - 1;
-	if (t->t_cursor.tp_col >= t->t_winsize.tp_col)
-		t->t_cursor.tp_col = t->t_winsize.tp_col - 1;
+	col--;
+	t->t_cursor.tp_col = col < t->t_winsize.tp_col ?
+	    col : t->t_winsize.tp_col - 1;

 	t->t_stateflags &= ~TS_WRAPPED;
 	teken_funcs_cursor(t);