From owner-svn-src-all@freebsd.org Sat Aug 15 08:42:34 2015 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2496E9B8C72; Sat, 15 Aug 2015 08:42:34 +0000 (UTC) (envelope-from ed@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F019F1486; Sat, 15 Aug 2015 08:42:33 +0000 (UTC) (envelope-from ed@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t7F8gX0w058557; Sat, 15 Aug 2015 08:42:33 GMT (envelope-from ed@FreeBSD.org) Received: (from ed@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t7F8gXKf058556; Sat, 15 Aug 2015 08:42:33 GMT (envelope-from ed@FreeBSD.org) Message-Id: <201508150842.t7F8gXKf058556@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ed set sender to ed@FreeBSD.org using -f From: Ed Schouten Date: Sat, 15 Aug 2015 08:42:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r286798 - head/sys/teken X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Aug 2015 08:42:34 -0000 Author: ed Date: Sat Aug 15 08:42:33 2015 New Revision: 286798 URL: https://svnweb.freebsd.org/changeset/base/286798 Log: Stop parsing digits if the value already exceeds USHRT_MAX. There is no need for us to support parsing values that are larger than the maximum terminal window size. In this case that would be the maximum of unsigned short. The problem with parsing larger values is that they can cause integer overflows when adjusting the cursor position, leading to all sorts of failing assertions. PR: 202326 Reported by: kcwu csie org MFC after: 1 month Modified: head/sys/teken/teken.c Modified: head/sys/teken/teken.c ============================================================================== --- head/sys/teken/teken.c Sat Aug 15 08:29:13 2015 (r286797) +++ head/sys/teken/teken.c Sat Aug 15 08:42:33 2015 (r286798) @@ -29,12 +29,14 @@ #include #if defined(__FreeBSD__) && defined(_KERNEL) #include +#include #include #include #define teken_assert(x) MPASS(x) #else /* !(__FreeBSD__ && _KERNEL) */ #include #include +#include #include #include #include @@ -405,18 +407,21 @@ teken_state_numbers(teken_t *t, teken_ch teken_assert(t->t_curnum < T_NUMSIZE); if (c >= '0' && c <= '9') { - /* - * Don't do math with the default value of 1 when a - * custom number is inserted. - */ if (t->t_stateflags & TS_FIRSTDIGIT) { + /* First digit. */ t->t_stateflags &= ~TS_FIRSTDIGIT; - t->t_nums[t->t_curnum] = 0; - } else { - t->t_nums[t->t_curnum] *= 10; + t->t_nums[t->t_curnum] = c - '0'; + } else if (t->t_nums[t->t_curnum] < USHRT_MAX) { + /* + * Screen positions are stored as unsigned + * shorts. There is no need to continue parsing + * input once the value exceeds USHRT_MAX. It + * would only allow for integer overflows when + * performing arithmetic on the cursor position. + */ + t->t_nums[t->t_curnum] = + t->t_nums[t->t_curnum] * 10 + c - '0'; } - - t->t_nums[t->t_curnum] += c - '0'; return (1); } else if (c == ';') { if (t->t_stateflags & TS_FIRSTDIGIT)