Out-of-bounds write when parsing CSI parameters
astoeckel opened this issue · comments
Feeding the following character sequence into ./test
causes an out-of-bounds write in line 60 of vtparse.c
:
echo -en "\e["`printf '99;%.0s' {0..15}`m | ./test
Relevant code snippet:
/* process the param character */
if(ch == ';')
{
parser->num_params += 1;
parser->params[parser->num_params-1] = 0; /* <- bad */
}
Fortunately, at the moment, this is not a severe issue, since the next member after params
in struct vtparser
is num_params
, which is reset to zero in the above code. However, if params
was at the end of the vtparser
structure, this would allow to override whatever comes next in memory. Still, even with the way it is right now, writing outside the bounds of a fixed-size array is undefined behaviour and should be fixed.
I suggest an explicit check before incrementing num_params
and going to an error state if parser->num_params
is greater than the size of the params
array.
It is fixed in my latest pull request.
echo -en "\e["`printf '99;%.0s' {0..15}`m | ./test
Received action ERROR
17 Parameters:
99
99
99
99
99
99
99
99
99
99
99
99
99
99
99
99
17
Received action CSI_DISPATCH
Char: 0x6d ('m')
17 Parameters:
99
99
99
99
99
99
99
99
99
99
99
99
99
99
99
99
17
As one can see, the 17 which is the number of parameters is not overwritten anymore. Although, the current test code just reads beyond the buffer as well :D Which is another bug.