patch 9.0.1916: Crash when allocating large terminal screen
Commit:
https://github.com/vim/vim/commit/aa64ba1587d36de558f47519fa47c27e86c6e49a
Author: Christian Brabandt <[email protected]>
Date: Tue Sep 19 21:05:20 2023 +0200
patch 9.0.1916: Crash when allocating large terminal screen
Problem: Crash when allocating large terminal screen
Solution: Don't allow values > 1000 for terminal
screen columns and rows
closes: #13126
Signed-off-by: Christian Brabandt <[email protected]>
diff --git a/runtime/doc/visual.txt b/runtime/doc/visual.txt
index 616e773fe..a91969e41 100644
--- a/runtime/doc/visual.txt
+++ b/runtime/doc/visual.txt
@@ -183,7 +183,7 @@ If you want to highlight exactly the same area as the last
time, you can use
CTRL-C In Visual mode: Stop Visual mode. When insert mode is
pending (the mode message shows
"-- (insert) VISUAL --"), it is also stopped.
- On MS-Windows, you may need to press CTRL-Break
+ On MS-Windows, you may need to press CTRL-Break
|dos-CTRL-Break|.
==============================================================================
diff --git a/src/libvterm/src/screen.c b/src/libvterm/src/screen.c
index 53564be16..7b3322b63 100644
--- a/src/libvterm/src/screen.c
+++ b/src/libvterm/src/screen.c
@@ -776,9 +776,15 @@ static int resize(int new_rows, int new_cols,
VTermStateFields *fields, void *us
if(screen->sb_buffer)
vterm_allocator_free(screen->vt, screen->sb_buffer);
+ if (new_cols > 1000)
+ new_cols = 1000;
+
screen->sb_buffer = vterm_allocator_malloc(screen->vt,
sizeof(VTermScreenCell) * new_cols);
}
+ if (new_rows > 1000)
+ new_rows = 1000;
+
resize_buffer(screen, 0, new_rows, new_cols, !altscreen_active, fields);
if(screen->buffers[BUFIDX_ALTSCREEN])
resize_buffer(screen, 1, new_rows, new_cols, altscreen_active, fields);
diff --git a/src/terminal.c b/src/terminal.c
index cb889ae19..991f05652 100644
--- a/src/terminal.c
+++ b/src/terminal.c
@@ -272,6 +272,10 @@ parse_termwinsize(win_T *wp, int *rows, int *cols)
}
*rows = atoi((char *)wp->w_p_tws);
*cols = atoi((char *)p + 1);
+ if (*rows > 1000)
+ *rows = 1000;
+ if (*cols > 1000)
+ *cols = 1000;
return minsize;
}
diff --git a/src/testdir/test_terminal2.vim b/src/testdir/test_terminal2.vim
index 8615bf55a..6ce531ed4 100644
--- a/src/testdir/test_terminal2.vim
+++ b/src/testdir/test_terminal2.vim
@@ -64,6 +64,14 @@ func Test_terminal_termwinsize_option_zero()
call StopShellInTerminal(buf)
exe buf . 'bwipe'
+ " This used to crash Vim
+ set termwinsize=10000*10000
+ let buf = Run_shell_in_terminal({})
+ let win = bufwinid(buf)
+ call assert_equal([1000, 1000], term_getsize(buf))
+ call StopShellInTerminal(buf)
+ exe buf . 'bwipe'
+
set termwinsize=
endfunc
@@ -271,6 +279,25 @@ func Test_terminal_resize()
set statusline&
endfunc
+func Test_terminal_resize2()
+ CheckNotMSWindows
+ set statusline=x
+ terminal
+ call assert_equal(2, winnr('$'))
+ let buf = bufnr()
+
+ " Wait for the shell to display a prompt
+ call WaitForAssert({-> assert_notequal('', term_getline(buf, 1))})
+
+ " This used to crash Vim
+ call feedkeys("printf ' [8;99999;99999t'\<CR>", 'xt')
+ redraw
+
+ call feedkeys("exit\<CR>", 'xt')
+ call TermWait(buf)
+ set statusline&
+endfunc
+
" must be nearly the last, we can't go back from GUI to terminal
func Test_zz1_terminal_in_gui()
CheckCanRunGui
diff --git a/src/version.c b/src/version.c
index 03cb97fd0..110a84039 100644
--- a/src/version.c
+++ b/src/version.c
@@ -699,6 +699,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1916,
/**/
1915,
/**/
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/vim_dev/E1qigQ8-002M5b-0p%40256bit.org.
