Hello,Here is a patch for another bug. Please refer to the commit message for details.
Sorry to disturb you again. 😂 Best Regards, Zhang Boyang
From d569b4fbc4233673032a1c5f7463890d5e2223dd Mon Sep 17 00:00:00 2001 From: Zhang Boyang <zhangboyang...@gmail.com> Date: Fri, 10 Jun 2022 15:16:33 +0800 Subject: [PATCH v6] Fix crash caused by invalid term->yorig The SCR(x, y) may return negative value if term->yorig is negative or too large, causing memory corruption and crash. There are two ways to trigger this bug. 1) When scrolling up, term->yorig is decremented by one. If term->yorig is zero, it can be -1 after the decrement, so SCR(0, 0) will become negative, causing crash. Below is the test command: bterm -f myfont.bgf -- python3 -c 'print("hello\033Mworld"); input("OK!")' 2) When scrolling down, term->yorig is incremented by one. There is no check for integer overflow. When term->yorig is large enough, the calculation in SCR(x, y) will overflow and it will return negative value, causing crash. Below is the test command: bterm -f myfont.bgf -- python3 -c 'print("\n"*2200000000); input("OK!")' This patch fixes the problem by limiting term->yorig to [0, term->ysize) so there will be no negative value or overflow anymore. --- bogl-term.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bogl-term.c b/bogl-term.c index 2d35d1d..f7fd735 100644 --- a/bogl-term.c +++ b/bogl-term.c @@ -188,7 +188,7 @@ cursor_down (struct bogl_term *term) } dirty_scroll(term); - ++term->yorig; + term->yorig = (term->yorig + 1) % term->ysize; for (i = 0; i < term->xsize; i++) { @@ -464,7 +464,7 @@ bogl_term_out (struct bogl_term *term, char *s, int n) /* Move all other lines down. Fortunately, this is easy. */ dirty_backscroll(term); - term->yorig--; + term->yorig = (term->yorig - 1 + term->ysize) % term->ysize; /* Clear the top line. */ for (i = SCR (0, 0); i < SCR (term->xsize, 0); i++) -- 2.30.2