| commit | af64338852e03d3277367d7a6c4228e592e22c58 | |
| author | Steffen Nurpmeso <steffen@sdaoden.eu> | |
| Thu, 18 Mar 2021 00:05:56 +0000 (18 01:05 +0100) | ||
| committer | Steffen Nurpmeso <steffen@sdaoden.eu> | |
| Thu, 18 Mar 2021 00:15:55 +0000 (18 01:15 +0100) | ||
| tree | f5024c06840ef18d0025cc0f167d949b4e694d6b | treesnapshot (tar.gz zip) |
| parent | edef6effffc077b1300db0b7ea8d76517d8198d7 | commitdiff |
MLE:a_tty_readline(): FIX possible buffer-overflow with HAVE_KEY_BINDINGS..
As bytes come in we check whether they could form a key binding,
and we keep on buffering them until either a binding can be
fullfilled, or we know for sure that there is no mapping, in which
case we output the bytes of the binding "as-is".
In the latter case we did not yet check whether the readline
output buffer was of sufficient size. This never hit me in the
many years since this bug exists, because normally the buffer is
per se very large for one, and we keep on growing it by far too
large. However, in certain conditions we reuse a buffer from
a former command (more so now with linepool), and if that is
small, and if the resize(s) which happen before the necessary
takeover were not sufficient, a memory violation would occur.
It can be reproduced (back to at least v14.9.11) via
..[startup]
? coll
? h[KEY-WHICH-GENERATES \E[1;2C (or of that size, with no binding)
While here, move an assignment in a_tty_check_grow() to the right
place, which avoids a tremendous amount of resizes.
As bytes come in we check whether they could form a key binding,
and we keep on buffering them until either a binding can be
fullfilled, or we know for sure that there is no mapping, in which
case we output the bytes of the binding "as-is".
In the latter case we did not yet check whether the readline
output buffer was of sufficient size. This never hit me in the
many years since this bug exists, because normally the buffer is
per se very large for one, and we keep on growing it by far too
large. However, in certain conditions we reuse a buffer from
a former command (more so now with linepool), and if that is
small, and if the resize(s) which happen before the necessary
takeover were not sufficient, a memory violation would occur.
It can be reproduced (back to at least v14.9.11) via
..[startup]
? coll
? h[KEY-WHICH-GENERATES \E[1;2C (or of that size, with no binding)
While here, move an assignment in a_tty_check_grow() to the right
place, which avoids a tremendous amount of resizes.
| src/mx/tty-mle.c | diffblobblamehistory |