aboutsummaryrefslogtreecommitdiffstats
path: root/main/vte/CVE-2012-2738.patch
blob: fd454079390f3e6c5f7d28b0d8d6084cf3b726ec (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
From feeee4b5832b17641e505b7083e0d299fdae318e Mon Sep 17 00:00:00 2001
From: Christian Persch <chpe@gnome.org>
Date: Sat, 19 May 2012 17:36:09 +0000
Subject: emulation: Limit integer arguments to 65535

To guard against malicious sequences containing excessively big numbers,
limit all parsed numbers to 16 bit range. Doing this here in the parsing
routine is a catch-all guard; this doesn't preclude enforcing
more stringent limits in the handlers themselves.

https://bugzilla.gnome.org/show_bug.cgi?id=676090
---
diff --git a/src/table.c b/src/table.c
index 140e8c8..85cf631 100644
--- a/src/table.c
+++ b/src/table.c
@@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array,
 		if (G_UNLIKELY (*array == NULL)) {
 			*array = g_value_array_new(1);
 		}
-		g_value_set_long(&value, total);
+		g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT));
 		g_value_array_append(*array, &value);
 	} while (i++ < arginfo->length);
 	g_value_unset(&value);
diff --git a/src/vteseq.c b/src/vteseq.c
index 457c06a..46def5b 100644
--- a/src/vteseq.c
+++ b/src/vteseq.c
@@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal,
                               GValueArray *params,
                               VteTerminalSequenceHandler handler)
 {
-        vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG);
+        vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT);
 }
 
 static void
--
cgit v0.9.0.2