mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-11-04 09:44:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(terminal): handle C0 characters in OSC terminator (#30090)

Browse Source 
When a C0 character is present in an OSC terminator (i.e. after the ESC
but before a \ (0x5c) or printable character), vterm executes the
control character and resets the current string fragment. If the C0
character is the final byte in the sequence, the string fragment has a
zero length. However, because the VT parser is still in the "escape"
state, vterm attempts to subtract 1 from the string length (to account
for the escape character). When the string fragment is empty, this
causes an underflow in the unsigned size variable, resulting in a buffer
overflow.

The fix is simple: explicitly check if the string length is non-zero
before subtracting.
This commit is contained in:
Gregory Anders
2024-08-19 06:43:06 -05:00
committed by GitHub
parent 33464189bc
commit 6d997f8068
3 changed files with 27 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/nvim/terminal.c
View File

@@ -271,10 +271,11 @@ static int parse_osc8(VTermStringFragment frag, int *attr)
} }
static int on_osc(int command, VTermStringFragment frag, void *user) static int on_osc(int command, VTermStringFragment frag, void *user)
FUNC_ATTR_NONNULL_ALL
{ {
Terminal *term = user; Terminal *term = user;
if (frag.str == NULL) { if (frag.str == NULL || frag.len == 0) {
return 0; return 0;
} }

14
src/vterm/parser.c
View File

@@ -1,5 +1,6 @@
#include "vterm_internal.h" #include "vterm_internal.h"
#include <assert.h>
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
@@ -190,8 +191,10 @@ size_t vterm_input_write(VTerm *vt, const char *bytes, size_t len)
((!IS_STRING_STATE() || c == 0x5c))) { ((!IS_STRING_STATE() || c == 0x5c))) {
c += 0x40; c += 0x40;
c1_allowed = true; c1_allowed = true;
if(string_len) if(string_len) {
assert(string_len > 0);
string_len -= 1; string_len -= 1;
}
vt->parser.in_esc = false; vt->parser.in_esc = false;
} }
else { else {
@@ -377,9 +380,12 @@ string_state:
if(string_start) { if(string_start) {
size_t string_len = bytes + pos - string_start; size_t string_len = bytes + pos - string_start;
if(vt->parser.in_esc) if (string_len > 0) {
string_len -= 1; if(vt->parser.in_esc) {
string_fragment(vt, string_start, string_len, false); string_len -= 1;
}
string_fragment(vt, string_start, string_len, false);
}
} }
return len; return len;

15
test/functional/terminal/parser_spec.lua Normal file
View File

@@ -0,0 +1,15 @@
local n = require('test.functional.testnvim')()
local clear = n.clear
local api = n.api
local assert_alive = n.assert_alive
describe(':terminal', function()
before_each(clear)
it('handles invalid OSC terminators #30084', function()
local chan = api.nvim_open_term(0, {})
api.nvim_chan_send(chan, '\027]8;;https://example.com\027\\Example\027]8;;\027\n')
assert_alive()
end)
end)