$ rxvt -e sh -c "echo -e '\e]4;;[0\x9c'"
ASAN:SIGSEGV
=================================================================
==18168==ERROR: AddressSanitizer: SEGV on unknown address 0x601ffd07da10 (pc
0x7f7de1a8aaea bp 0x7ffffd0771b0 sp 0x7ffffd076948 T0)
#0 0x7f7de1a8aae9 (/lib/x86_64-linux-gnu/libc.so.6+0x88ae9)
... (skip)
rxvt_color::set (rxvt_screen *screen, const char *name)
{
rgba c;
char eos;
int skip;
c.a = rgba::MAX_CC;
// parse the nonstandard "[alphapercent]" prefix
if (1 <= sscanf (name, "[%hd]%n", &c.a, &skip))
{
c.a = lerp<int, int, int> (0, rgba::MAX_CC, c.a);
name += skip;
}
The problem is, name="[0". sscanf() parsed |c.a| and return 1, but didn't fill
|skip|.
And |skip| is not initialized. Depends on its value, rxvt may crash later.
This is found by afl-fuzz.
pgpJTUSOe_0yX.pgp
Description: PGP signature
_______________________________________________ rxvt-unicode mailing list [email protected] http://lists.schmorp.de/mailman/listinfo/rxvt-unicode
