1 files changed, 52 insertions, 0 deletions

diff --git a/main/screen/CVE-2015-6806.patch b/main/screen/CVE-2015-6806.patch
new file mode 100644
index 0000000000..24a013b8eb
--- /dev/null
+++ b/main/screen/CVE-2015-6806.patch
@@ -0,0 +1,52 @@
+Origin: commit b7484c224738247b510ed0d268cd577076958f1b
+Author: Kuang-che Wu <kcwu@csie.org>
+Bug: https://savannah.gnu.org/bugs/?45713
+Bug-Debian: http://bugs.debian.org/797624
+Description: Fix stack overflow due to too deep recursion
+ How to reproduce:
+ Run this command inside screen
+ $ printf '\x1b[10000000T'
+ .   
+ screen will recursively call MScrollV to depth n/256.
+ This is time consuming and will overflow stack if n is huge.
+
+diff --git a/ansi.c b/ansi.c
+index a342fb1..152d2ef 100644
+--- a/ansi.c
++++ b/ansi.c
+@@ -2502,13 +2502,13 @@ int n, ys, ye, bce;
+     return;
+   if (n > 0)
+     {
++      if (ye - ys + 1 < n)
++	n = ye - ys + 1;
+       if (n > 256)
+ 	{
+ 	  MScrollV(p, n - 256, ys, ye, bce);
+ 	  n = 256;
+ 	}
+-      if (ye - ys + 1 < n)
+-	n = ye - ys + 1;
+ #ifdef COPY_PASTE
+       if (compacthist)
+ 	{
+@@ -2562,14 +2562,14 @@ int n, ys, ye, bce;
+     }
+   else
+     {
+-      if (n < -256)
+-	{
+-	  MScrollV(p, n + 256, ys, ye, bce);
+-	  n = -256;
+-	}
+       n = -n;
+       if (ye - ys + 1 < n)
+ 	n = ye - ys + 1;
++      if (n > 256)
++	{
++	  MScrollV(p, - (n - 256), ys, ye, bce);
++	  n = 256;
++	}
+ 
+       ml = p->w_mlines + ye;
+       /* Clear lines */