From ce34a184400c15c0324318f71fac755b70d2b4d3 Mon Sep 17 00:00:00 2001 From: Ingo Schwarze Date: Sun, 6 Sep 2020 14:45:22 +0000 Subject: After .ti, there are many reasons why the offset may change, so setting it back later requires a guard against underflow, or subsequent assertions may fail. Issue found in an afl run performed by Jan Schreiber . --- term_ascii.c | 14 ++++++++++---- term_ps.c | 9 ++++++--- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/term_ascii.c b/term_ascii.c index 1c3ecc90..a9aa989a 100644 --- a/term_ascii.c +++ b/term_ascii.c @@ -1,7 +1,7 @@ -/* $Id$ */ +/* $Id$ */ /* * Copyright (c) 2010, 2011 Kristaps Dzonsons - * Copyright (c) 2014, 2015, 2017, 2018 Ingo Schwarze + * Copyright (c) 2014,2015,2017,2018,2020 Ingo Schwarze * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -232,7 +232,10 @@ ascii_endline(struct termp *p) { p->line++; - p->tcol->offset -= p->ti; + if ((int)p->tcol->offset > p->ti) + p->tcol->offset -= p->ti; + else + p->tcol->offset = 0; p->ti = 0; putchar('\n'); } @@ -390,7 +393,10 @@ locale_endline(struct termp *p) { p->line++; - p->tcol->offset -= p->ti; + if ((int)p->tcol->offset > p->ti) + p->tcol->offset -= p->ti; + else + p->tcol->offset = 0; p->ti = 0; putwchar(L'\n'); } diff --git a/term_ps.c b/term_ps.c index 5bbc3068..567f3ed1 100644 --- a/term_ps.c +++ b/term_ps.c @@ -1,7 +1,7 @@ -/* $Id$ */ +/* $Id$ */ /* * Copyright (c) 2010, 2011 Kristaps Dzonsons - * Copyright (c) 2014, 2015, 2016, 2017 Ingo Schwarze + * Copyright (c) 2014,2015,2016,2017,2020 Ingo Schwarze * Copyright (c) 2017 Marc Espie * * Permission to use, copy, modify, and distribute this software for any @@ -1252,7 +1252,10 @@ ps_endline(struct termp *p) ps_closepage(p); - p->tcol->offset -= p->ti; + if ((int)p->tcol->offset > p->ti) + p->tcol->offset -= p->ti; + else + p->tcol->offset = 0; p->ti = 0; } -- cgit