[dev] [st patch queue 09/12] Simplify tdeletechar and tinsertblank and fix memory corruption.

From: noname <noname_AT_inventati.org>
Date: Fri, 25 Apr 2014 18:27:34 +0400

Removed special handling of corner case.

Current CSI parsing code uses strtol to parse arguments and allows them
to be negative. Negative argument is not properly handled in tdeletechar
and tinsertblank and results in memory corruption in memmove.

Reproduce with printf '\e[-500_AT_'

---
 st.c | 26 ++++++++++----------------
 1 file changed, 10 insertions(+), 16 deletions(-)
diff --git a/st.c b/st.c
index e4df18f..5477c81 100644
--- a/st.c
+++ b/st.c
_AT_@ -1588,16 +1588,13 @@ tclearregion(int x1, int y1, int x2, int y2) {
 
 void
 tdeletechar(int n) {
-	int src = term.c.x + n;
-	int dst = term.c.x;
-	int size = term.col - src;
+	int dst, src, size;
 
-	term.dirty[term.c.y] = 1;
+	LIMIT(n, 0, term.col - term.c.x);
 
-	if(src >= term.col) {
-		tclearregion(term.c.x, term.c.y, term.col-1, term.c.y);
-		return;
-	}
+	dst = term.c.x;
+	src = term.c.x + n;
+	size = term.col - src;
 
 	memmove(&term.line[term.c.y][dst], &term.line[term.c.y][src],
 			size * sizeof(Glyph));
_AT_@ -1606,16 +1603,13 @@ tdeletechar(int n) {
 
 void
 tinsertblank(int n) {
-	int src = term.c.x;
-	int dst = src + n;
-	int size = term.col - dst;
+	int dst, src, size;
 
-	term.dirty[term.c.y] = 1;
+	LIMIT(n, 0, term.col - term.c.x);
 
-	if(dst >= term.col) {
-		tclearregion(term.c.x, term.c.y, term.col-1, term.c.y);
-		return;
-	}
+	dst = term.c.x + n;
+	src = term.c.x;
+	size = term.col - dst;
 
 	memmove(&term.line[term.c.y][dst], &term.line[term.c.y][src],
 			size * sizeof(Glyph));
-- 
1.8.4

Received on Fri Apr 25 2014 - 16:27:34 CEST