It allows remote attackers to cause a denial of service
(invalid write access and application crash) or possibly
have unspecified other impact via a crafted UTF-8
character sequence.
bugfix: https://savannah.gnu.org/bugs/?60030
Signed-off-by: Alexander Naumov <alexander_naumov@opensuse.org>
A cross-reference was intended to be placed inside parentheses,
but the closing parenthesis was forgotten; this commit inserts
that missing closing parenthesis.
Commit c5db181 expands index range of "typ2" by one without expanding
affected arrays. d_xtermosc in struct display is one of these.
Related: c5db181b6e
(ansi: add support for xterm OSC 11)
Related: 68386dfb1f
(Fix out of bounds access when setting w_xtermosc after OSC 49)
Signed-off-by: Václav Doležal <vdolezal@redhat.com>
echo -e "\e]49\e; \n\ec"
crashes screen.
This happens because 49 is divided by 10 and used as table index
resulting in access to w_xtermosc[4], which is out of bounds with table
itself being size 4. Increase size of table by 1 to 5, which is enough
for all current uses.
As this overwrites memory based on user input it is potential security
issue.
Reported-by: pippin@gimp.org
Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
TERMCAP_BUF defaults to 1023 to create TERMCAP entries that work on
most systems. To save space, TERMCAP is unwrapped, and vt220 extra
keys are skipped (unless TERMCAP_BUF > 1023); navigation keys are
still included. Entries larger than TERMCAP_BUF are now truncated,
and no longer Panic screen.
Termcap entries are still wrapped when saved to a file.
Signed-off-by: Scott Shambarger <devel@shambarger.net>
Here's the rub: with TERM=xterm (or rxvt, for that matter), Km
("key_mouse", "Mouse event has occured") is not set (and therefore
NULL), but InitTermcap() (termcap.c:230) happily tries to strdup() that,
which gets us that segfault.
As a band-aid, catch that NULL and don't strdup().
Signed-off-by: Marcin Cieślak <saper@saper.info>
Optimize startup time, making closeallfiles() faster, by doing less
system calls. Instead of calling close for each possible file, use
poll() to check if file exist at all. On linux with open file limit set
to 1048576, it should do 1024 poll() calls instead of 1048576 close().
Bug: 55618
Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
ncurses 6.1 changed kmous capability from "\e[M" to "\e[<". It seems to
be done to signal that terminal supports sgr mouse mode. screen assumed
that if kmous is set to "\e[M" it is on xterm compatible terminal
anyway, so just dynamically detect which one is used and override
relevant kmapdef.
InitKeytab() is moved, so kmapdef[] can be overriden before
initialization, as InitTermcap() needs to run first, as far as I can
tell this should have no consequences.
Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
Fixes problem when pressing arrows in some prompts causes arrows to stop
in other places.
For example pressing up arrow in 'kill --confirm' prompt stops up arrow
from working on 'windowlist'
Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
* Change RunBlanker to call OpenDevice so permissions on slave
PTY are correctly set.
* Update handling of file descriptors after fork to be similar to
ForkWindow on at pty (fixes debug and leaked descriptors)
* DEBUG now creates screen.blanker to debug blanker fork
* Allow display of error message when display blocked by blanker
(because message is probably from blanker failing to start)
Bug: 55512
Signed-off-by: Scott Shambarger <devel@shambarger.net>
Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
* Set eff_uid/eff_gid after setuid/setgid to prevent nested Panic
MakeClientSocket calls xseteuid(eff_uid=0) - results in nested
Panic and SendErrorMsg not getting sent.
* Set ServerSocket to -1 after fork so that child Panic doesn't
remove socket in eexit.
Bug: 55511
Applied with some modifications
Signed-off-by: Scott Shambarger <devel@shambarger.net>
Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
Move `nomem' label of ChangeWindowSize() to the end of function and
add test for value of `nhlines'
Signed-off-by: Vaclav Dolezal <vdolezal@redhat.com>
Signed-off-by: Amadeusz Sławiński <amade@asmblr.net
This reverts commit ff98d7ff58.
This can potentially cause double-free. `nmlines' and `nhlines'
should be freed in preceding lines.
`nmlines' and `nhlines' are not used in the rest of the function
except in `nomem' label and their valuse are copied into `p', so
their value should be zeroed.
Signed-off-by: Vaclav Dolezal <vdolezal@redhat.com>
Signed-off-by: Amadeusz Sławiński <amade@asmblr.net
