Segfaults on illegal values in DECSTBM and CBT
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvterm |
Fix Committed
|
Undecided
|
Unassigned |
Bug Description
I have found at least two segfaults in libvterm by running the tests in https:/
Full results with AddressSanitizer stack traces are available at:
https:/
1) DECSTBM
Example:
▶ bin/unterm <(printf '\e[10;9r\e[S')
zsh: segmentation fault (core dumped) bin/unterm <(printf '\e[10;9r\e[S')
Here the issue is that libvterm does not validate that the scrolling region's top >= bottom.
2) CBT
Minimal example:
▶ bin/unterm <(printf '\e[Z')
zsh: segmentation fault (core dumped) bin/unterm <(printf '\e[Z')
Here the issue is that libvterm does not validate that the tab stop does not go past the left column.
Both of these bugs should be caught by testing. I highly encourage you to adopt my test cases. You'll have to modify the expected output since I am mirroring xterm and libvterm handles edge cases differently, but it should be a good start. Please let me know if you have any questions.
summary: |
- Two different segfaults regarding scrolling region + Segfaults on illegal values in DECSTBM and CBT |
I believe this may now be fixed. We've recently been testing it with AFL (http:// lcamtuf. coredump. cx/afl/) and that's shaken out quite a few things of this kind.
Please retest on latest version.