|
1
|
+Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f
|
|
2
|
+ Check for out-of-bounds condition while drawing sixels, and quit that
|
|
3
|
+ operation (report by Nick Black, CVE-2022-24130).
|
|
4
|
+Bug-Debian: https://bugs.debian.org/1004689
|
|
5
|
+
|
|
6
|
+---
|
|
7
|
+ graphics_sixel.c | 25 +++++++++++++++++++------
|
|
8
|
+ 1 file changed, 19 insertions(+), 6 deletions(-)
|
|
9
|
+
|
|
10
|
+--- a/graphics_sixel.c
|
|
11
|
++++ b/graphics_sixel.c
|
|
12
|
+@@ -149,7 +149,7 @@ init_sixel_background(Graphic *graphic,
|
|
13
|
+ graphic->color_registers_used[context->background] = 1;
|
|
14
|
+ }
|
|
15
|
+
|
|
16
|
+-static void
|
|
17
|
++static Boolean
|
|
18
|
+ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
|
|
19
|
+ {
|
|
20
|
+ const int mh = graphic->max_height;
|
|
21
|
+@@ -170,7 +170,10 @@ set_sixel(Graphic *graphic, SixelContext
|
|
22
|
+ ((color != COLOR_HOLE)
|
|
23
|
+ ? (unsigned) graphic->color_registers[color].b : 0U)));
|
|
24
|
+ for (pix = 0; pix < 6; pix++) {
|
|
25
|
+- if (context->col < mw && context->row + pix < mh) {
|
|
26
|
++ if (context->col >= 0 &&
|
|
27
|
++ context->col < mw &&
|
|
28
|
++ context->row + pix >= 0 &&
|
|
29
|
++ context->row + pix < mh) {
|
|
30
|
+ if (sixel & (1 << pix)) {
|
|
31
|
+ if (context->col + 1 > graphic->actual_width) {
|
|
32
|
+ graphic->actual_width = context->col + 1;
|
|
33
|
+@@ -183,8 +186,10 @@ set_sixel(Graphic *graphic, SixelContext
|
|
34
|
+ }
|
|
35
|
+ } else {
|
|
36
|
+ TRACE(("sixel pixel %d out of bounds\n", pix));
|
|
37
|
++ return False;
|
|
38
|
+ }
|
|
39
|
+ }
|
|
40
|
++ return True;
|
|
41
|
+ }
|
|
42
|
+
|
|
43
|
+ static void
|
|
44
|
+@@ -462,8 +467,12 @@ parse_sixel(XtermWidget xw, ANSI *params
|
|
45
|
+ init_sixel_background(graphic, &context);
|
|
46
|
+ graphic->valid = 1;
|
|
47
|
+ }
|
|
48
|
+- if (sixel)
|
|
49
|
+- set_sixel(graphic, &context, sixel);
|
|
50
|
++ if (sixel) {
|
|
51
|
++ if (!set_sixel(graphic, &context, sixel)) {
|
|
52
|
++ context.col = 0;
|
|
53
|
++ break;
|
|
54
|
++ }
|
|
55
|
++ }
|
|
56
|
+ context.col++;
|
|
57
|
+ } else if (ch == '$') { /* DECGCR */
|
|
58
|
+ /* ignore DECCRNLM in sixel mode */
|
|
59
|
+@@ -531,8 +540,12 @@ parse_sixel(XtermWidget xw, ANSI *params
|
|
60
|
+ if (sixel) {
|
|
61
|
+ int i;
|
|
62
|
+ for (i = 0; i < Pcount; i++) {
|
|
63
|
+- set_sixel(graphic, &context, sixel);
|
|
64
|
+- context.col++;
|
|
65
|
++ if (set_sixel(graphic, &context, sixel)) {
|
|
66
|
++ context.col++;
|
|
67
|
++ } else {
|
|
68
|
++ context.col = 0;
|
|
69
|
++ break;
|
|
70
|
++ }
|
|
71
|
+ }
|
|
72
|
+ } else {
|
|
73
|
+ context.col += Pcount;
|