patch 9.2.0288: libvterm: signed integer overflow parsing long CSI args

Problem:  Accumulating CSI argument digits without an upper bound causes
          signed integer overflow when the argument exceeds LONG_MAX.
Solution: Clamp CSI argument accumulation to CSI_ARG_MISSING to prevent
          signed integer overflow (Yasuhiro Matsumoto).

closes: #19894

Co-authored-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/libvterm/src/parser.c b/src/libvterm/src/parser.c
index b060e2b8ad74ab62cf790eb8752aeaa8da897dec..e167e0cb1a5c12889c910e1bebda03059d920479 100644 (file)
--- a/src/libvterm/src/parser.c
+++ b/src/libvterm/src/parser.c
@@ -232,8 +232,10 @@ size_t vterm_input_write(VTerm *vt, const char *bytes, size_t len)
       if(c >= '0' && c <= '9') {
         if(vt->parser.v.csi.args[vt->parser.v.csi.argi] == CSI_ARG_MISSING)
           vt->parser.v.csi.args[vt->parser.v.csi.argi] = 0;
-        vt->parser.v.csi.args[vt->parser.v.csi.argi] *= 10;
-        vt->parser.v.csi.args[vt->parser.v.csi.argi] += c - '0';
+        if(vt->parser.v.csi.args[vt->parser.v.csi.argi] < (CSI_ARG_MISSING - 9) / 10) {
+          vt->parser.v.csi.args[vt->parser.v.csi.argi] *= 10;
+          vt->parser.v.csi.args[vt->parser.v.csi.argi] += c - '0';
+        }
         break;
       }
       if(c == ':') {

diff --git a/src/version.c b/src/version.c
index a3f4f24a9a9b7229e70434ae7c87411e6e228d2d..e81115c3105fc592279af7d9bf8e4e65b67137c4 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    288,
 /**/
     287,
 /**/