LadybirdBrowser/ladybird
1
1
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-11-11 01:06:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

LibVT: Fix out-of-bounds reads in ICH/DCH escape sequences

Browse Source 
Previously, entering too big counts for these commands could cause a
wrap-around with the cell indices.

Also, we are now correctly copying the cell attributes as well as the
code point.
This commit is contained in:
Daniel Bertalan 2021-06-01 18:48:31 +02:00 committed by Andreas Kling
parent 00a83a2957
commit 5f92790489
Notes: sideshowbarker 2024-07-18 12:30:10 +09:00 
Author: https://github.com/BertalanD
Commit: https://github.com/SerenityOS/serenity/commit/5f927904899
Pull-request: https://github.com/SerenityOS/serenity/pull/7698
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Userland/Libraries/LibVT/Terminal.cpp
View File

@ -736,9 +736,11 @@ void Terminal::DCH(Parameters params)
num = params[0];
auto& line = active_buffer()[cursor_row()];
num = min(num, static_cast<int>(line.length()) - cursor_column());
// Move n characters of line to the left
for (size_t i = cursor_column(); i < line.length() - num; i++)
line.set_code_point(i, line.code_point(i + num));
line.cell_at(i) = line.cell_at(i + num);
// Fill remainder of line with blanks
for (size_t i = line.length() - num; i < line.length(); i++)
@ -868,14 +870,16 @@ void Terminal::ICH(Parameters params)
unsigned num = 1;
if (params.size() >= 1 && params[0] != 0)
num = params[0];
auto& line = active_buffer()[cursor_row()];
auto max_insert = static_cast<unsigned>(line.length()) - cursor_column();
num = min(num, max_insert);
// Move characters after cursor to the right
for (unsigned i = line.length() - num; i >= cursor_column(); --i)
line.set_code_point(i + num, line.code_point(i));
for (int i = line.length() - num - 1; i >= cursor_column(); --i)
line.cell_at(i + num) = line.cell_at(i);
// Fill n characters after cursor with blanks
for (unsigned i = 0; i < num; i++)
for (unsigned i = 0; i < num; ++i)
line.set_code_point(cursor_column() + i, ' ');
line.set_dirty(true);