h/fish-shell
1
Fork 0
mirror of https://github.com/fish-shell/fish-shell.git synced 2026-05-30 11:21:15 -03:00
Code Issues Packages Projects Releases Wiki Activity

Fix crash on invalid CSI parameters

Browse Source 
If a semicolon-delimited list of CSI parameters contained an (invalid) long
sequence of ascii numeric characters, the original code would keep multiplying
by ten and adding the most recent ones field until the `params[count][subcount]`
u32 value overflowed.

This was found via automated fuzz testing of the `try_readch()` routine against
a corpus of some proper/valid CSI escapes.
This commit is contained in:
Mahmoud Al-Qudsi
2024-11-20 14:53:39 -06:00
parent b92830cb17
commit edd82be58d
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/input_common.rs
View File

@@ -846,13 +846,17 @@ fn parse_csi(&mut self, buffer: &mut Vec<u8>) -> Option<Key> {
let mut subcount = 0;
while count < 16 && c >= 0x30 && c <= 0x3f {
if c.is_ascii_digit() {
params[count][subcount] = params[count][subcount] * 10 + u32::from(c - b'0');
// Return None on invalid ascii numeric CSI parameter exceeding u32 bounds
params[count][subcount] = params[count][subcount]
.checked_mul(10)
.and_then(|result| result.checked_add(u32::from(c - b'0')))?;
} else if c == b':' && subcount < 3 {
subcount += 1;
} else if c == b';' {
count += 1;
subcount = 0;
} else {
// Unexpected character or unrecognized CSI
return None;
}
c = next_char(self);