1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
Upstream-Status: Backport
CVE: CVE-2012-2738
Signed-off-by: Ross Burton <ross.burton@intel.com>
From e524b0b3bd8fad844ffa73927c199545b892cdbd Mon Sep 17 00:00:00 2001
From: Christian Persch <chpe@gnome.org>
Date: Sat, 19 May 2012 19:36:09 +0200
Subject: [PATCH 1/2] emulation: Limit integer arguments to 65535
To guard against malicious sequences containing excessively big numbers,
limit all parsed numbers to 16 bit range. Doing this here in the parsing
routine is a catch-all guard; this doesn't preclude enforcing
more stringent limits in the handlers themselves.
https://bugzilla.gnome.org/show_bug.cgi?id=676090
---
src/table.c | 2 +-
src/vteseq.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/table.c b/src/table.c
index 140e8c8..85cf631 100644
--- a/src/table.c
+++ b/src/table.c
@@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array,
if (G_UNLIKELY (*array == NULL)) {
*array = g_value_array_new(1);
}
- g_value_set_long(&value, total);
+ g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT));
g_value_array_append(*array, &value);
} while (i++ < arginfo->length);
g_value_unset(&value);
diff --git a/src/vteseq.c b/src/vteseq.c
index 7ef4c8c..10991db 100644
--- a/src/vteseq.c
+++ b/src/vteseq.c
@@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal,
GValueArray *params,
VteTerminalSequenceHandler handler)
{
- vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG);
+ vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT);
}
static void
--
2.4.9 (Apple Git-60)
From cf1ad453a8def873c49cf6d88162593402f32bb2 Mon Sep 17 00:00:00 2001
From: Christian Persch <chpe@gnome.org>
Date: Sat, 19 May 2012 20:04:12 +0200
Subject: [PATCH 2/2] emulation: Limit repetitions
Don't allow malicious sequences to cause excessive repetitions.
https://bugzilla.gnome.org/show_bug.cgi?id=676090
---
src/vteseq.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/src/vteseq.c b/src/vteseq.c
index 10991db..209522f 100644
--- a/src/vteseq.c
+++ b/src/vteseq.c
@@ -1392,7 +1392,7 @@ vte_sequence_handler_dc (VteTerminal *terminal, GValueArray *params)
static void
vte_sequence_handler_DC (VteTerminal *terminal, GValueArray *params)
{
- vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_dc);
+ vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_dc);
}
/* Delete a line at the current cursor position. */
@@ -1785,7 +1785,7 @@ vte_sequence_handler_reverse_index (VteTerminal *terminal, GValueArray *params)
static void
vte_sequence_handler_RI (VteTerminal *terminal, GValueArray *params)
{
- vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_nd);
+ vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_nd);
}
/* Save cursor (position). */
@@ -2777,8 +2777,7 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params)
{
GValue *value;
VteScreen *screen;
- long param, end, row;
- int i;
+ long param, end, row, i, limit;
screen = terminal->pvt->screen;
/* The default is one. */
param = 1;
@@ -2796,7 +2795,13 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params)
} else {
end = screen->insert_delta + terminal->row_count - 1;
}
- /* Insert the new lines at the cursor. */
+
+ /* Only allow to insert as many lines as there are between this row
+ * and the end of the scrolling region. See bug #676090.
+ */
+ limit = end - row + 1;
+ param = MIN (param, limit);
+
for (i = 0; i < param; i++) {
/* Clear a line off the end of the region and add one to the
* top of the region. */
@@ -2817,8 +2822,7 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params)
{
GValue *value;
VteScreen *screen;
- long param, end, row;
- int i;
+ long param, end, row, i, limit;
screen = terminal->pvt->screen;
/* The default is one. */
@@ -2837,6 +2841,13 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params)
} else {
end = screen->insert_delta + terminal->row_count - 1;
}
+
+ /* Only allow to delete as many lines as there are between this row
+ * and the end of the scrolling region. See bug #676090.
+ */
+ limit = end - row + 1;
+ param = MIN (param, limit);
+
/* Clear them from below the current cursor. */
for (i = 0; i < param; i++) {
/* Insert a line at the end of the region and remove one from
--
2.4.9 (Apple Git-60)
|