Hello,
Here is a patch for another bug. Please refer to the commit message for
details.
Sorry to disturb you again. 😂
Best Regards,
Zhang Boyang
From d569b4fbc4233673032a1c5f7463890d5e2223dd Mon Sep 17 00:00:00 2001
From: Zhang Boyang <zhangboyang...@gmail.com>
Date: Fri, 10 Jun 2022 15:16:33 +0800
Subject: [PATCH v6] Fix crash caused by invalid term->yorig
The SCR(x, y) may return negative value if term->yorig is negative or
too large, causing memory corruption and crash. There are two ways to
trigger this bug.
1) When scrolling up, term->yorig is decremented by one. If term->yorig
is zero, it can be -1 after the decrement, so SCR(0, 0) will become
negative, causing crash. Below is the test command:
bterm -f myfont.bgf -- python3 -c 'print("hello\033Mworld"); input("OK!")'
2) When scrolling down, term->yorig is incremented by one. There is no
check for integer overflow. When term->yorig is large enough, the
calculation in SCR(x, y) will overflow and it will return negative
value, causing crash. Below is the test command:
bterm -f myfont.bgf -- python3 -c 'print("\n"*2200000000); input("OK!")'
This patch fixes the problem by limiting term->yorig to [0, term->ysize)
so there will be no negative value or overflow anymore.
---
bogl-term.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/bogl-term.c b/bogl-term.c
index 2d35d1d..f7fd735 100644
--- a/bogl-term.c
+++ b/bogl-term.c
@@ -188,7 +188,7 @@ cursor_down (struct bogl_term *term)
}
dirty_scroll(term);
- ++term->yorig;
+ term->yorig = (term->yorig + 1) % term->ysize;
for (i = 0; i < term->xsize; i++)
{
@@ -464,7 +464,7 @@ bogl_term_out (struct bogl_term *term, char *s, int n)
/* Move all other lines down. Fortunately, this is easy. */
dirty_backscroll(term);
- term->yorig--;
+ term->yorig = (term->yorig - 1 + term->ysize) % term->ysize;
/* Clear the top line. */
for (i = SCR (0, 0); i < SCR (term->xsize, 0); i++)
--
2.30.2
