mirror of
https://github.com/fish-shell/fish-shell.git
synced 2024-12-19 05:13:44 +08:00
Fix crash on invalid CSI parameters
If a semicolon-delimited list of CSI parameters contained an (invalid) long sequence of ascii numeric characters, the original code would keep multiplying by ten and adding the most recent ones field until the `params[count][subcount]` u32 value overflowed. This was found via automated fuzz testing of the `try_readch()` routine against a corpus of some proper/valid CSI escapes.
This commit is contained in:
parent
b92830cb17
commit
edd82be58d
|
@ -846,13 +846,17 @@ pub trait InputEventQueuer {
|
||||||
let mut subcount = 0;
|
let mut subcount = 0;
|
||||||
while count < 16 && c >= 0x30 && c <= 0x3f {
|
while count < 16 && c >= 0x30 && c <= 0x3f {
|
||||||
if c.is_ascii_digit() {
|
if c.is_ascii_digit() {
|
||||||
params[count][subcount] = params[count][subcount] * 10 + u32::from(c - b'0');
|
// Return None on invalid ascii numeric CSI parameter exceeding u32 bounds
|
||||||
|
params[count][subcount] = params[count][subcount]
|
||||||
|
.checked_mul(10)
|
||||||
|
.and_then(|result| result.checked_add(u32::from(c - b'0')))?;
|
||||||
} else if c == b':' && subcount < 3 {
|
} else if c == b':' && subcount < 3 {
|
||||||
subcount += 1;
|
subcount += 1;
|
||||||
} else if c == b';' {
|
} else if c == b';' {
|
||||||
count += 1;
|
count += 1;
|
||||||
subcount = 0;
|
subcount = 0;
|
||||||
} else {
|
} else {
|
||||||
|
// Unexpected character or unrecognized CSI
|
||||||
return None;
|
return None;
|
||||||
}
|
}
|
||||||
c = next_char(self);
|
c = next_char(self);
|
||||||
|
|
Loading…
Reference in New Issue
Block a user