blob: a52b9e6e681727567f81152a33c6299004985612 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
From 8ce90c1d3d5bece150479d8bc9303fd9d9f45e03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net>
Date: Thu, 30 Jan 2020 17:56:27 +0100
Subject: [PATCH] Fix out of bounds access when setting w_xtermosc after OSC 49
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
echo -e "\e]49\e; \n\ec"
crashes screen.
This happens because 49 is divided by 10 and used as table index
resulting in access to w_xtermosc[4], which is out of bounds with table
itself being size 4. Increase size of table by 1 to 5, which is enough
for all current uses.
As this overwrites memory based on user input it is potential security
issue.
Reported-by: pippin@gimp.org
Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/screen.git/commit/?h=v.4.8.0&id=68386dfb1fa33471372a8cd2e74686758a2f527b]
CVE: CVE-2020-9366
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
window.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/window.h b/window.h
index bd10dcd..a8afa19 100644
--- a/window.h
+++ b/window.h
@@ -237,7 +237,7 @@ struct win
char w_vbwait;
char w_norefresh; /* dont redisplay when switching to that win */
#ifdef RXVT_OSC
- char w_xtermosc[4][MAXSTR]; /* special xterm/rxvt escapes */
+ char w_xtermosc[5][MAXSTR]; /* special xterm/rxvt escapes */
#endif
int w_mouse; /* mouse mode 0,9,1000 */
#ifdef HAVE_BRAILLE
|
