Fix crash on invalid CSI parameters

If a semicolon-delimited list of CSI parameters contained an (invalid) long
sequence of ascii numeric characters, the original code would keep multiplying
by ten and adding the most recent ones field until the `params[count][subcount]`
u32 value overflowed.

This was found via automated fuzz testing of the `try_readch()` routine against
a corpus of some proper/valid CSI escapes.
This commit is contained in:
Mahmoud Al-Qudsi 2024-11-20 14:53:39 -06:00
parent b92830cb17
commit edd82be58d

View File

@ -846,13 +846,17 @@ pub trait InputEventQueuer {
let mut subcount = 0; let mut subcount = 0;
while count < 16 && c >= 0x30 && c <= 0x3f { while count < 16 && c >= 0x30 && c <= 0x3f {
if c.is_ascii_digit() { if c.is_ascii_digit() {
params[count][subcount] = params[count][subcount] * 10 + u32::from(c - b'0'); // Return None on invalid ascii numeric CSI parameter exceeding u32 bounds
params[count][subcount] = params[count][subcount]
.checked_mul(10)
.and_then(|result| result.checked_add(u32::from(c - b'0')))?;
} else if c == b':' && subcount < 3 { } else if c == b':' && subcount < 3 {
subcount += 1; subcount += 1;
} else if c == b';' { } else if c == b';' {
count += 1; count += 1;
subcount = 0; subcount = 0;
} else { } else {
// Unexpected character or unrecognized CSI
return None; return None;
} }
c = next_char(self); c = next_char(self);