patch 9.1.1082: unexpected DCS responses may cause out of bounds reads

Problem:  unexpected DCS responses may cause out of bounds reads
          (after v9.1.1054)
Solution: check that the parsed value is '=' as expected
          (Julio B)

Signed-off-by: Julio B <julio.bacel@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/term.c b/src/term.c
index 4d30ee1ca8451e7b3502e4fb15ff84032d8e1bfc..318b982d75dd9f696b0a4f1dc8018e96fb8249f8 100644 (file)
--- a/src/term.c
+++ b/src/term.c
@@ -7136,7 +7136,9 @@ req_more_codes_from_term(void)
 }
 
 /*
- * Decode key code response from xterm: '<Esc>P1+r<name>=<string><Esc>\'.
+ * Decode key code response from xterm:
+ * '<Esc>P1+r<name>=<string><Esc>\' if it is enabled/supported
+ * '<Esc>P0+r<Esc>\'                if it not enabled
  * A "0" instead of the "1" indicates a code that isn't supported.
  * Both <name> and <string> are encoded in hex.
  * "code" points to the "0" or "1".
@@ -7152,8 +7154,9 @@ got_code_from_term(char_u *code, int len)
     int                c;
 
     // A '1' means the code is supported, a '0' means it isn't.
+    // If it is supported, there must be a '=' following
     // When half the length is > XT_LEN we can't use it.
-    if (code[0] == '1' && (code[7] || code[9] == '=') && len / 2 < XT_LEN)
+    if (code[0] == '1' && (code[7] == '=' || code[9] == '=') && len / 2 < XT_LEN)
     {
        // Get the name from the response and find it in the table.
        name[0] = hexhex2nr(code + 3);

diff --git a/src/version.c b/src/version.c
index 55cbd4fdaf8310014b589fb3fd5d10765566fc72..35deca8635211457b7014692a77ce177ad670d67 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1082,
 /**/
     1081,
 /**/