From b982178f6ba05816de1e0c6ee4115e784cf91b7f Mon Sep 17 00:00:00 2001
From: ed <ed@FreeBSD.org>
Date: Fri, 21 Aug 2015 06:30:13 +0000
Subject: [PATCH] Don't truncate cursor arithmetic to 16 bits.

When updating the row number when the cursor position escape sequence is
issued, we should make sure to store the intermediate result in a 32-bit
integer. If we fail to do this, the cursor may be set above the origin
region, which is bad.

This could cause libteken to crash when INVARIANTS is enabled, due to
the strict set of assertions that libteken has.

PR:		202540
Reported by:	kcwu csie org
MFC after:	1 month
---
 sys/teken/teken_subr.h | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/sys/teken/teken_subr.h b/sys/teken/teken_subr.h
index 2eee6279c970..c686b916f9d3 100644
--- a/sys/teken/teken_subr.h
+++ b/sys/teken/teken_subr.h
@@ -324,13 +324,13 @@ static void
 teken_subr_cursor_position(teken_t *t, unsigned int row, unsigned int col)
 {
 
-	t->t_cursor.tp_row = t->t_originreg.ts_begin + row - 1;
-	if (t->t_cursor.tp_row >= t->t_originreg.ts_end)
-		t->t_cursor.tp_row = t->t_originreg.ts_end - 1;
+	row = row - 1 + t->t_originreg.ts_begin;
+	t->t_cursor.tp_row = row < t->t_originreg.ts_end ?
+	    row : t->t_originreg.ts_end - 1;
 
-	t->t_cursor.tp_col = col - 1;
-	if (t->t_cursor.tp_col >= t->t_winsize.tp_col)
-		t->t_cursor.tp_col = t->t_winsize.tp_col - 1;
+	col--;
+	t->t_cursor.tp_col = col < t->t_winsize.tp_col ?
+	    col : t->t_winsize.tp_col - 1;
 
 	t->t_stateflags &= ~TS_WRAPPED;
 	teken_funcs_cursor(t);