After .ti, there are many reasons why the offset may change, so setting

it back later requires a guard against underflow, or subsequent assertions
may fail.
Issue found in an afl run performed by Jan Schreiber <jes at posteo dot de>.

2 files changed, 16 insertions, 7 deletions

diff --git a/term_ascii.c b/term_ascii.c
index 1c3ecc90..a9aa989a 100644
--- a/term_ascii.c
+++ b/term_ascii.c
@@ -1,7 +1,7 @@
-/*	$Id$ */
+/* $Id$ */
 /*
  * Copyright (c) 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
- * Copyright (c) 2014, 2015, 2017, 2018 Ingo Schwarze <schwarze@openbsd.org>
+ * Copyright (c) 2014,2015,2017,2018,2020 Ingo Schwarze <schwarze@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -232,7 +232,10 @@ ascii_endline(struct termp *p)
 {
 
 	p->line++;
-	p->tcol->offset -= p->ti;
+	if ((int)p->tcol->offset > p->ti)
+		p->tcol->offset -= p->ti;
+	else
+		p->tcol->offset = 0;
 	p->ti = 0;
 	putchar('\n');
 }
@@ -390,7 +393,10 @@ locale_endline(struct termp *p)
 {
 
 	p->line++;
-	p->tcol->offset -= p->ti;
+	if ((int)p->tcol->offset > p->ti)
+		p->tcol->offset -= p->ti;
+	else 
+		p->tcol->offset = 0;
 	p->ti = 0;
 	putwchar(L'\n');
 }
diff --git a/term_ps.c b/term_ps.c
index 5bbc3068..567f3ed1 100644
--- a/term_ps.c
+++ b/term_ps.c
@@ -1,7 +1,7 @@
-/*	$Id$ */
+/* $Id$ */
 /*
  * Copyright (c) 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
- * Copyright (c) 2014, 2015, 2016, 2017 Ingo Schwarze <schwarze@openbsd.org>
+ * Copyright (c) 2014,2015,2016,2017,2020 Ingo Schwarze <schwarze@openbsd.org>
  * Copyright (c) 2017 Marc Espie <espie@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -1252,7 +1252,10 @@ ps_endline(struct termp *p)
 
 	ps_closepage(p);
 
-	p->tcol->offset -= p->ti;
+	if ((int)p->tcol->offset > p->ti)
+		p->tcol->offset -= p->ti;
+	else 
+		p->tcol->offset = 0;
 	p->ti = 0;
 }