From nobody Sat May 18 13:16:28 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1561613819; cv=none; d=zoho.com; s=zohoarc; b=ZiCqD5bKkZda/neKavqxP1jwUfw6IL7qEOPyU77qVBQHvEmjcRv84Zb1gz0maNCOqo3gD4IeTSKYEz0ZOKBFsUY9KUZ2cBb+Fhk4BqapVbmpikGQKKyYu4ntzKybA7OiVlKgo6JE8EicTOUqpKpHyd0Qeua5ttTezVRicjXaies= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1561613819; h=Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:Sender:Subject:To:ARC-Authentication-Results; bh=eFoWuSibWwX57N8pUhu9kUEbVNBnAhfnjOy+fl9OvNk=; b=Ng21VA8wESuq4mYhoHIVJNbZWfy/d9JeOKl6Q+6ZNOru5RjXQYXV79q8bBbbcXjKB1N/EMq97vLKz1/+JtJXK04P7y4BjDVTI1BeiZBvT4EVQiQOtMZZ5UFQbJRlrhCMoRzfc+1LkTTq+ertd4tgvs9DHg6l3IlRCyTQVWWCI8k= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1561613819659342.84868908070973; Wed, 26 Jun 2019 22:36:59 -0700 (PDT) Received: from localhost ([::1]:46514 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hgN5b-00057m-OR for importer@patchew.org; Thu, 27 Jun 2019 01:36:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60372) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hgN4O-0004Hx-UR for qemu-devel@nongnu.org; Thu, 27 Jun 2019 01:35:41 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hgN4N-0003Gg-VJ for qemu-devel@nongnu.org; Thu, 27 Jun 2019 01:35:40 -0400 Received: from mx1.redhat.com ([209.132.183.28]:42228) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hgN4N-0003FF-Pi for qemu-devel@nongnu.org; Thu, 27 Jun 2019 01:35:39 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4A9D030833C5; Thu, 27 Jun 2019 05:35:27 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-116-96.ams2.redhat.com [10.36.116.96]) by smtp.corp.redhat.com (Postfix) with ESMTP id BDBD719C68; Thu, 27 Jun 2019 05:35:24 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 9AF3A16E18; Thu, 27 Jun 2019 07:35:23 +0200 (CEST) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Thu, 27 Jun 2019 07:35:23 +0200 Message-Id: <20190627053523.25541-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Thu, 27 Jun 2019 05:35:32 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH] console: fix cell overflow X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: alxndr@bu.edu, Gerd Hoffmann , P J P Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Linux terminal behavior (coming from vt100 I think) is somewhat strange when it comes to line wraps: When a character is printed to the last char cell of a line the cursor does NOT jump to the next line but stays where it is. The line feed happens when the next character is printed. So the valid range for the cursor position is not 0 .. width-1 but 0 .. width, where x =3D=3D width represents the state where the line is full but the cursor didn't jump to the next line yet. The code for the 'clear from start of line' control sequence (ESC[1K) fails to handle this corner case correctly and may call console_clear_xy() with x =3D=3D width. That will incorrectly clear the first char cell of the next line, or in case the cursor happens to be on the last line overflow the cell buffer by one character (three bytes). Add a check to the loop to fix that. Didn't spot any other places with the same problem. But it's easy to miss that corner case, so also allocate one extra cell as precaution, so in case we have simliar issues lurking elsewhere it at least wouldn't be a buffer overflow. Reported-by: Alexander Oleinik Signed-off-by: Gerd Hoffmann Reviewed-by: Christophe de Dinechin --- ui/console.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ui/console.c b/ui/console.c index eb7e7e0c517a..13d933510cdb 100644 --- a/ui/console.c +++ b/ui/console.c @@ -484,7 +484,7 @@ static void text_console_resize(QemuConsole *s) if (s->width < w1) w1 =3D s->width; =20 - cells =3D g_new(TextCell, s->width * s->total_height); + cells =3D g_new(TextCell, s->width * s->total_height + 1); for(y =3D 0; y < s->total_height; y++) { c =3D &cells[y * s->width]; if (w1 > 0) { @@ -992,7 +992,7 @@ static void console_putchar(QemuConsole *s, int ch) break; case 1: /* clear from beginning of line */ - for (x =3D 0; x <=3D s->x; x++) { + for (x =3D 0; x <=3D s->x && x < s->width; x++) { console_clear_xy(s, x, s->y); } break; --=20 2.18.1