Since upgrading to 6.7 I've occasionally seen the tmux server crash
when a client connects to a session.
(I can't say for sure that it never happened pre-6.7, since it's
occasional and my usage patterns have drifted over time.)
Today it annoyed me enough to track it down, and it looks like a
loop index management bug in the terminal escape code handling;
there's a loop that scans through a string and discards some
substrings, and the body of the loop can leave the pointer pointing
at the '\0' byte that terminates the string. When this happens,
the loop control advances the pointer again, past the terminator
byte, so it keeps examining whatever comes next.
Index: tty-term.c
===================================================================
RCS file: /cvs/src/usr.bin/tmux/tty-term.c,v
retrieving revision 1.76
diff -u -p -r1.76 tty-term.c
--- tty-term.c 23 Apr 2020 10:22:53 -0000 1.76
+++ tty-term.c 23 Aug 2020 00:05:09 -0000
@@ -295,7 +295,7 @@ tty_term_strip(const char *s)
}
buf[len++] = *ptr;
- if (len == (sizeof buf) - 1)
+ if (len == (sizeof buf) - 1 || *ptr == '\0')
break;
}
buf[len] = '\0';
