aboutsummaryrefslogtreecommitdiffstats
path: root/main/screen/CVE-2015-6806.patch
blob: 24a013b8eb3205f263f0394b91c15965a6923bb3 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Origin: commit b7484c224738247b510ed0d268cd577076958f1b
Author: Kuang-che Wu <kcwu@csie.org>
Bug: https://savannah.gnu.org/bugs/?45713
Bug-Debian: http://bugs.debian.org/797624
Description: Fix stack overflow due to too deep recursion
 How to reproduce:
 Run this command inside screen
 $ printf '\x1b[10000000T'
 .   
 screen will recursively call MScrollV to depth n/256.
 This is time consuming and will overflow stack if n is huge.

diff --git a/ansi.c b/ansi.c
index a342fb1..152d2ef 100644
--- a/ansi.c
+++ b/ansi.c
@@ -2502,13 +2502,13 @@ int n, ys, ye, bce;
     return;
   if (n > 0)
     {
+      if (ye - ys + 1 < n)
+	n = ye - ys + 1;
       if (n > 256)
 	{
 	  MScrollV(p, n - 256, ys, ye, bce);
 	  n = 256;
 	}
-      if (ye - ys + 1 < n)
-	n = ye - ys + 1;
 #ifdef COPY_PASTE
       if (compacthist)
 	{
@@ -2562,14 +2562,14 @@ int n, ys, ye, bce;
     }
   else
     {
-      if (n < -256)
-	{
-	  MScrollV(p, n + 256, ys, ye, bce);
-	  n = -256;
-	}
       n = -n;
       if (ye - ys + 1 < n)
 	n = ye - ys + 1;
+      if (n > 256)
+	{
+	  MScrollV(p, - (n - 256), ys, ye, bce);
+	  n = 256;
+	}
 
       ml = p->w_mlines + ye;
       /* Clear lines */