commit 8707ec264462b66ff9243f40365d6d24ed2f7f6d
parent db2b774a16414a7b964736c0e896ddd40d25ca3f
Author: gcrtnst <52910071+gcrtnst@users.noreply.github.com>
Date: Tue, 6 May 2025 21:20:03 +0900
fix(termkey): out-of-bounds write in array #33868
Problem:
termkey crashes due to an out-of-bounds write in an array when it
received a CSI sequence with 17 or more arguments. This could be
observed on startup with certain terminal emulators like [RLogin], which
send a response to the `CSI c` query containing 17 parameters.
The termkey code has a boundary check, but its comparison operator is
incorrect.
Solution:
Correct the comparison operator to ensure proper boundary checking.
With this change, I have confirmed that the crash no longer occurs on
RLogin. https://github.com/kmiya-culti/RLogin
Fixes #24356
Diffstat:
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/nvim/tui/termkey/driver-csi.c b/src/nvim/tui/termkey/driver-csi.c
@@ -507,7 +507,7 @@ static TermKeyResult parse_csi(TermKey *tk, size_t introlen, size_t *csi_len,
present = 0;
argi++;
- if (argi > 16) {
+ if (argi >= 16) {
break;
}
} else if (c >= 0x20 && c <= 0x2f) {
