Thanks. How about this instead?
Index: tty-term.c
===================================================================
RCS file: /cvs/src/usr.bin/tmux/tty-term.c,v
retrieving revision 1.82
diff -u -p -r1.82 tty-term.c
--- tty-term.c 5 Jun 2020 09:32:15 -0000 1.82
+++ tty-term.c 23 Aug 2020 20:14:19 -0000
@@ -302,6 +302,8 @@ tty_term_strip(const char *s)
ptr++;
if (*ptr == '>')
ptr++;
+ if (*ptr == '\0')
+ break;
}
buf[len++] = *ptr;
On Sat, Aug 22, 2020 at 08:15:01PM -0400, Dave Vandervies wrote:
> Since upgrading to 6.7 I've occasionally seen the tmux server crash
> when a client connects to a session.
> (I can't say for sure that it never happened pre-6.7, since it's
> occasional and my usage patterns have drifted over time.)
>
> Today it annoyed me enough to track it down, and it looks like a
> loop index management bug in the terminal escape code handling;
> there's a loop that scans through a string and discards some
> substrings, and the body of the loop can leave the pointer pointing
> at the '\0' byte that terminates the string. When this happens,
> the loop control advances the pointer again, past the terminator
> byte, so it keeps examining whatever comes next.
>
> Index: tty-term.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/tmux/tty-term.c,v
> retrieving revision 1.76
> diff -u -p -r1.76 tty-term.c
> --- tty-term.c 23 Apr 2020 10:22:53 -0000 1.76
> +++ tty-term.c 23 Aug 2020 00:05:09 -0000
> @@ -295,7 +295,7 @@ tty_term_strip(const char *s)
> }
>
> buf[len++] = *ptr;
> - if (len == (sizeof buf) - 1)
> + if (len == (sizeof buf) - 1 || *ptr == '\0')
> break;
> }
> buf[len] = '\0';
>
