termptyesc: fix issue found by fuzzing by Øyvind Kolås (pippin from GIMP)

2020-06-16 20:54:09 +02:00 · 2020-06-16 20:54:09 +02:00 · e7894a887f
parent 5cae99eee1
commit e7894a887f
3 changed files with 29 additions and 6 deletions
--- a/src/bin/termptyesc.c
+++ b/src/bin/termptyesc.c
@ -3954,7 +3954,7 @@ _handle_esc_osc(Termpty *ty, const Eina_Unicode *c, const Eina_Unicode *ce)
         EINA_FALLTHROUGH;
      case 0:
        // title + icon name
-        if (!*p)
+        if (!p || !*p)
          goto err;
        s = eina_unicode_unicode_to_utf8(p, &len);
        eina_stringshare_del(ty->prop.title);
@ -3977,7 +3977,7 @@ _handle_esc_osc(Termpty *ty, const Eina_Unicode *c, const Eina_Unicode *ce)
        break;
      case 1:
        // icon name
-        if (!*p)
+        if (!p || !*p)
          goto err;
        s = eina_unicode_unicode_to_utf8(p, &len);
        eina_stringshare_del(ty->prop.icon);
@ -3994,7 +3994,7 @@ _handle_esc_osc(Termpty *ty, const Eina_Unicode *c, const Eina_Unicode *ce)
        break;
      case 2:
        // Title
-        if (!*p)
+        if (!p || !*p)
          goto err;
        s = eina_unicode_unicode_to_utf8(p, &len);
        eina_stringshare_del(ty->prop.title);
@ -4010,7 +4010,7 @@ _handle_esc_osc(Termpty *ty, const Eina_Unicode *c, const Eina_Unicode *ce)
        if (ty->cb.set_title.func) ty->cb.set_title.func(ty->cb.set_title.data);
        break;
      case 4:
-        if (!*p)
+        if (!p || !*p)
          goto err;
        // XXX: set palette entry. not supported.
        ty->decoding_error = EINA_TRUE;
@ -4020,11 +4020,13 @@ _handle_esc_osc(Termpty *ty, const Eina_Unicode *c, const Eina_Unicode *ce)
        break;
      case 8:
        DBG("hyperlink");
+        if (!p || !*p)
+          goto err;
        s = eina_unicode_unicode_to_utf8(p, &len);
        _handle_hyperlink(ty, s, len);
        break;
      case 10:
-        if (!*p)
+        if (!p || !*p)
          goto err;
        if (*p == '?')
          {
@ -4053,11 +4055,13 @@ _handle_esc_osc(Termpty *ty, const Eina_Unicode *c, const Eina_Unicode *ce)
          }
        break;
      case 11:
+        if (!p || !*p)
+          goto err;
        _handle_xterm_11_command(ty, p);
        break;
      case 50:
        DBG("xterm font support");
-        if (!*p)
+        if (!p || !*p)
          goto err;
        s = eina_unicode_unicode_to_utf8(p, &len);
        if (s)
@ -4098,6 +4102,8 @@ _handle_esc_osc(Termpty *ty, const Eina_Unicode *c, const Eina_Unicode *ce)
        break;
      case 777:
        DBG("xterm notification support");
+        if (!p || !*p)
+          goto err;
        s = eina_unicode_unicode_to_utf8(p, &len);
        if (s)
          {
--- a/tests/crash_empty_osc.sh
+++ b/tests/crash_empty_osc.sh
@ -0,0 +1,16 @@
+#!/bin/sh
+
+# char width: 7
+# char height: 15
+
+# set color
+printf '\033[46;31;3m'
+
+# clear screen
+printf '\033[2J'
+
+# move to 0; 0
+printf '\033[0;0H'
+
+printf '\033]\007'
+printf '\033]\007'
--- a/tests/tests.results
+++ b/tests/tests.results
@ -137,3 +137,4 @@ selection_box_scrolls_down.sh c0fc70e8d865236d66edc7ad13af4dbe
 esc_term_name_version.sh 4498d5f9f7d827bcd46774063510c712
 true_color_cache_thrashing.sh 34df56d44685b91eed2802167f48f3c4
 true_color_cache_reuse.sh ab8e074716821d8c213a01729a57f867
+crash_empty_osc.sh b87272896ce7be9856253b32be1bef14