Segfaults on illegal values in DECSTBM and CBT

Bug #1453611 reported by Mark Lodato on 2015-05-10
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvterm
Undecided
Unassigned

Bug Description

I have found at least two segfaults in libvterm by running the tests in https://github.com/MarkLodato/vt100-parser/tree/master/test.

Full results with AddressSanitizer stack traces are available at:
https://gist.github.com/MarkLodato/437a6deec280a6e8c68b

1) DECSTBM

Example:
▶ bin/unterm <(printf '\e[10;9r\e[S')
zsh: segmentation fault (core dumped) bin/unterm <(printf '\e[10;9r\e[S')

Here the issue is that libvterm does not validate that the scrolling region's top >= bottom.

2) CBT

Minimal example:
▶ bin/unterm <(printf '\e[Z')
zsh: segmentation fault (core dumped) bin/unterm <(printf '\e[Z')

Here the issue is that libvterm does not validate that the tab stop does not go past the left column.

Both of these bugs should be caught by testing. I highly encourage you to adopt my test cases. You'll have to modify the expected output since I am mirroring xterm and libvterm handles edge cases differently, but it should be a good start. Please let me know if you have any questions.

Mark Lodato (lodatom) on 2015-05-10
summary: - Two different segfaults regarding scrolling region
+ Segfaults on illegal values in DECSTBM and CBT
Paul "LeoNerd" Evans (leonerd) wrote :

I believe this may now be fixed. We've recently been testing it with AFL (http://lcamtuf.coredump.cx/afl/) and that's shaken out quite a few things of this kind.

Please retest on latest version.

Mark Lodato (lodatom) wrote :

Yes, these segfaults are now fixed. I still encourage you to add a unit test for this.

Mark Lodato (lodatom) wrote :

I also still encourage you to adopt my test suite. There are still lots of differences between libvterm and xterm, and in its current state libvterm causes Neovim to be unusable for me (e.g. when I search through my zsh history, the cursor gets messed up.) By adding my test suite, I think you'll uncover a lot of bugs. If you want, I can spin this off into a separate bug.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers