billiob pushed a commit to branch terminology-1.7. http://git.enlightenment.org/apps/terminology.git/commit/?id=e7894a887f6094d38722871f192c48ed5c65469a
commit e7894a887f6094d38722871f192c48ed5c65469a Author: Boris Faure <[email protected]> Date: Tue Jun 16 20:54:09 2020 +0200 termptyesc: fix issue found by fuzzing by Øyvind Kolås (pippin from GIMP) --- src/bin/termptyesc.c | 18 ++++++++++++------ tests/crash_empty_osc.sh | 16 ++++++++++++++++ tests/tests.results | 1 + 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/src/bin/termptyesc.c b/src/bin/termptyesc.c index 51a14a5..c564440 100644 --- a/src/bin/termptyesc.c +++ b/src/bin/termptyesc.c @@ -3954,7 +3954,7 @@ _handle_esc_osc(Termpty *ty, const Eina_Unicode *c, const Eina_Unicode *ce) EINA_FALLTHROUGH; case 0: // title + icon name - if (!*p) + if (!p || !*p) goto err; s = eina_unicode_unicode_to_utf8(p, &len); eina_stringshare_del(ty->prop.title); @@ -3977,7 +3977,7 @@ _handle_esc_osc(Termpty *ty, const Eina_Unicode *c, const Eina_Unicode *ce) break; case 1: // icon name - if (!*p) + if (!p || !*p) goto err; s = eina_unicode_unicode_to_utf8(p, &len); eina_stringshare_del(ty->prop.icon); @@ -3994,7 +3994,7 @@ _handle_esc_osc(Termpty *ty, const Eina_Unicode *c, const Eina_Unicode *ce) break; case 2: // Title - if (!*p) + if (!p || !*p) goto err; s = eina_unicode_unicode_to_utf8(p, &len); eina_stringshare_del(ty->prop.title); @@ -4010,7 +4010,7 @@ _handle_esc_osc(Termpty *ty, const Eina_Unicode *c, const Eina_Unicode *ce) if (ty->cb.set_title.func) ty->cb.set_title.func(ty->cb.set_title.data); break; case 4: - if (!*p) + if (!p || !*p) goto err; // XXX: set palette entry. not supported. ty->decoding_error = EINA_TRUE; @@ -4020,11 +4020,13 @@ _handle_esc_osc(Termpty *ty, const Eina_Unicode *c, const Eina_Unicode *ce) break; case 8: DBG("hyperlink"); + if (!p || !*p) + goto err; s = eina_unicode_unicode_to_utf8(p, &len); _handle_hyperlink(ty, s, len); break; case 10: - if (!*p) + if (!p || !*p) goto err; if (*p == '?') { @@ -4053,11 +4055,13 @@ _handle_esc_osc(Termpty *ty, const Eina_Unicode *c, const Eina_Unicode *ce) } break; case 11: + if (!p || !*p) + goto err; _handle_xterm_11_command(ty, p); break; case 50: DBG("xterm font support"); - if (!*p) + if (!p || !*p) goto err; s = eina_unicode_unicode_to_utf8(p, &len); if (s) @@ -4098,6 +4102,8 @@ _handle_esc_osc(Termpty *ty, const Eina_Unicode *c, const Eina_Unicode *ce) break; case 777: DBG("xterm notification support"); + if (!p || !*p) + goto err; s = eina_unicode_unicode_to_utf8(p, &len); if (s) { diff --git a/tests/crash_empty_osc.sh b/tests/crash_empty_osc.sh new file mode 100755 index 0000000..33fc6d8 --- /dev/null +++ b/tests/crash_empty_osc.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +# char width: 7 +# char height: 15 + +# set color +printf '\033[46;31;3m' + +# clear screen +printf '\033[2J' + +# move to 0; 0 +printf '\033[0;0H' + +printf '\033]\007' +printf '\033]\007' diff --git a/tests/tests.results b/tests/tests.results index 197f7a1..4bca1a0 100644 --- a/tests/tests.results +++ b/tests/tests.results @@ -137,3 +137,4 @@ selection_box_scrolls_down.sh c0fc70e8d865236d66edc7ad13af4dbe esc_term_name_version.sh 4498d5f9f7d827bcd46774063510c712 true_color_cache_thrashing.sh 34df56d44685b91eed2802167f48f3c4 true_color_cache_reuse.sh ab8e074716821d8c213a01729a57f867 +crash_empty_osc.sh b87272896ce7be9856253b32be1bef14 --
