Date: Fri, 21 Aug 2015 06:30:13 +0000 (UTC) From: Ed Schouten <ed@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r286981 - head/sys/teken Message-ID: <201508210630.t7L6UDxJ094838@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ed Date: Fri Aug 21 06:30:13 2015 New Revision: 286981 URL: https://svnweb.freebsd.org/changeset/base/286981 Log: Don't truncate cursor arithmetic to 16 bits. When updating the row number when the cursor position escape sequence is issued, we should make sure to store the intermediate result in a 32-bit integer. If we fail to do this, the cursor may be set above the origin region, which is bad. This could cause libteken to crash when INVARIANTS is enabled, due to the strict set of assertions that libteken has. PR: 202540 Reported by: kcwu csie org MFC after: 1 month Modified: head/sys/teken/teken_subr.h Modified: head/sys/teken/teken_subr.h ============================================================================== --- head/sys/teken/teken_subr.h Fri Aug 21 05:03:03 2015 (r286980) +++ head/sys/teken/teken_subr.h Fri Aug 21 06:30:13 2015 (r286981) @@ -324,13 +324,13 @@ static void teken_subr_cursor_position(teken_t *t, unsigned int row, unsigned int col) { - t->t_cursor.tp_row = t->t_originreg.ts_begin + row - 1; - if (t->t_cursor.tp_row >= t->t_originreg.ts_end) - t->t_cursor.tp_row = t->t_originreg.ts_end - 1; - - t->t_cursor.tp_col = col - 1; - if (t->t_cursor.tp_col >= t->t_winsize.tp_col) - t->t_cursor.tp_col = t->t_winsize.tp_col - 1; + row = row - 1 + t->t_originreg.ts_begin; + t->t_cursor.tp_row = row < t->t_originreg.ts_end ? + row : t->t_originreg.ts_end - 1; + + col--; + t->t_cursor.tp_col = col < t->t_winsize.tp_col ? + col : t->t_winsize.tp_col - 1; t->t_stateflags &= ~TS_WRAPPED; teken_funcs_cursor(t);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508210630.t7L6UDxJ094838>