Commit: patch 9.2.0288: libvterm: signed integer overflow parsing long CSI args
0 views
Skip to first unread message
Christian Brabandt
10:32 AM (11 hours ago) 10:32 AM
to vim...@googlegroups.com
patch 9.2.0288: libvterm: signed integer overflow parsing long CSI args
Commit: https://github.com/vim/vim/commit/71a0a552cf08398cb46455687fd3011c33c4e6eb
Author: Christian Brabandt <c...@256bit.org>
Date: Fri Apr 3 09:36:56 2026 +0000
patch 9.2.0288: libvterm: signed integer overflow parsing long CSI args
Problem: Accumulating CSI argument digits without an upper bound causes
signed integer overflow when the argument exceeds LONG_MAX.
Solution: Clamp CSI argument accumulation to CSI_ARG_MISSING to prevent
signed integer overflow (Yasuhiro Matsumoto).
closes: #19894
Co-authored-by: Yasuhiro Matsumoto <matt...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/libvterm/src/parser.c b/src/libvterm/src/parser.c
index b060e2b8a..e167e0cb1 100644
--- a/src/libvterm/src/parser.c
+++ b/src/libvterm/src/parser.c
@@ -232,8 +232,10 @@ size_t vterm_input_write(VTerm *vt, const char *bytes, size_t len)
if(c >= '0' && c <= '9') {
if(vt->parser.v.csi.args[vt->parser.v.csi.argi] == CSI_ARG_MISSING)
vt->parser.v.csi.args[vt->parser.v.csi.argi] = 0;
- vt->parser.v.csi.args[vt->parser.v.csi.argi] *= 10;
- vt->parser.v.csi.args[vt->parser.v.csi.argi] += c - '0';
+ if(vt->parser.v.csi.args[vt->parser.v.csi.argi] < (CSI_ARG_MISSING - 9) / 10) {
+ vt->parser.v.csi.args[vt->parser.v.csi.argi] *= 10;
+ vt->parser.v.csi.args[vt->parser.v.csi.argi] += c - '0';
+ }
break;
}
if(c == ':') {
diff --git a/src/version.c b/src/version.c
index a3f4f24a9..e81115c31 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 288,
/**/
287,
/**/
Commit: https://github.com/vim/vim/commit/71a0a552cf08398cb46455687fd3011c33c4e6eb
Author: Christian Brabandt <c...@256bit.org>
Date: Fri Apr 3 09:36:56 2026 +0000
patch 9.2.0288: libvterm: signed integer overflow parsing long CSI args
Problem: Accumulating CSI argument digits without an upper bound causes
signed integer overflow when the argument exceeds LONG_MAX.
Solution: Clamp CSI argument accumulation to CSI_ARG_MISSING to prevent
signed integer overflow (Yasuhiro Matsumoto).
closes: #19894
Co-authored-by: Yasuhiro Matsumoto <matt...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/libvterm/src/parser.c b/src/libvterm/src/parser.c
index b060e2b8a..e167e0cb1 100644
--- a/src/libvterm/src/parser.c
+++ b/src/libvterm/src/parser.c
@@ -232,8 +232,10 @@ size_t vterm_input_write(VTerm *vt, const char *bytes, size_t len)
if(c >= '0' && c <= '9') {
if(vt->parser.v.csi.args[vt->parser.v.csi.argi] == CSI_ARG_MISSING)
vt->parser.v.csi.args[vt->parser.v.csi.argi] = 0;
- vt->parser.v.csi.args[vt->parser.v.csi.argi] *= 10;
- vt->parser.v.csi.args[vt->parser.v.csi.argi] += c - '0';
+ if(vt->parser.v.csi.args[vt->parser.v.csi.argi] < (CSI_ARG_MISSING - 9) / 10) {
+ vt->parser.v.csi.args[vt->parser.v.csi.argi] *= 10;
+ vt->parser.v.csi.args[vt->parser.v.csi.argi] += c - '0';
+ }
break;
}
if(c == ':') {
diff --git a/src/version.c b/src/version.c
index a3f4f24a9..e81115c31 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 288,
/**/
287,
/**/
Reply all
Reply to author
Forward
0 new messages