patch 9.2.0697: possible overflow when parsing CSI keys

Problem:  possible overflow when parsing CSI keys (cipher-creator)
Solution: Reject key codes above U+10FFFF and enlarge the key buffer,
          guard the CSI argument accumulator against overflow

closes: #20556

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/term.c b/src/term.c
index dcb9c92442ec18b2d9183978776094f2f5083b64..b789f39248368f8a9abb7f640099b7f3f6546b2d 100644 (file)
--- a/src/term.c
+++ b/src/term.c
@@ -5443,9 +5443,14 @@ put_key_modifiers_in_typebuf(
     modifiers = may_remove_shift_modifier(modifiers, key);
 
     // Produce modifiers with K_SPECIAL KS_MODIFIER {mod}
-    char_u string[MAX_KEY_CODE_LEN + 1];
+    // worst-case: 3-byte modifier + 4 byte multi-char key + NUL
+    char_u string[MAX_KEY_CODE_LEN + 2];
     int new_slen = modifiers2keycode(modifiers, &key, string);
 
+    // reject overlong key that would overflow string
+    if (key > 0x10FFFF)
+       return -1;
+
     // Add the bytes for the key.
     new_slen += add_key_to_buf(key, string + new_slen);
 
@@ -5713,7 +5718,9 @@ handle_csi(
                        return -1;
                    if (!VIM_ISDIGIT(*ap))
                        break;
-                   arg[argc] = arg[argc] * 10 + (*ap - '0');
+                   // avoid overflow
+                   if (arg[argc] <= (INT_MAX - 9) / 10)
+                       arg[argc] = arg[argc] * 10 + (*ap - '0');
                    ++ap;
                }
                ++argc;

diff --git a/src/version.c b/src/version.c
index 5fca1bd8cf0a80fdc68ea865d47fc3aac64906fa..f8268b842e73cdf2df6d8e5798831a9c542f1c0a 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -759,6 +759,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    697,
 /**/
     696,
 /**/