diff options
Diffstat (limited to 'main/screen/CVE-2015-6806.patch')
-rw-r--r-- | main/screen/CVE-2015-6806.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/main/screen/CVE-2015-6806.patch b/main/screen/CVE-2015-6806.patch new file mode 100644 index 0000000000..24a013b8eb --- /dev/null +++ b/main/screen/CVE-2015-6806.patch @@ -0,0 +1,52 @@ +Origin: commit b7484c224738247b510ed0d268cd577076958f1b +Author: Kuang-che Wu <kcwu@csie.org> +Bug: https://savannah.gnu.org/bugs/?45713 +Bug-Debian: http://bugs.debian.org/797624 +Description: Fix stack overflow due to too deep recursion + How to reproduce: + Run this command inside screen + $ printf '\x1b[10000000T' + . + screen will recursively call MScrollV to depth n/256. + This is time consuming and will overflow stack if n is huge. + +diff --git a/ansi.c b/ansi.c +index a342fb1..152d2ef 100644 +--- a/ansi.c ++++ b/ansi.c +@@ -2502,13 +2502,13 @@ int n, ys, ye, bce; + return; + if (n > 0) + { ++ if (ye - ys + 1 < n) ++ n = ye - ys + 1; + if (n > 256) + { + MScrollV(p, n - 256, ys, ye, bce); + n = 256; + } +- if (ye - ys + 1 < n) +- n = ye - ys + 1; + #ifdef COPY_PASTE + if (compacthist) + { +@@ -2562,14 +2562,14 @@ int n, ys, ye, bce; + } + else + { +- if (n < -256) +- { +- MScrollV(p, n + 256, ys, ye, bce); +- n = -256; +- } + n = -n; + if (ye - ys + 1 < n) + n = ye - ys + 1; ++ if (n > 256) ++ { ++ MScrollV(p, - (n - 256), ys, ye, bce); ++ n = 256; ++ } + + ml = p->w_mlines + ye; + /* Clear lines */ |