patch 9.1.1082: unexpected DCS responses may cause out of bounds reads

julio-b · chrisbra · commit a6d5778d9b14 · 2025-02-07T20:54:56.000+01:00
Problem:  unexpected DCS responses may cause out of bounds reads
          (after v9.1.1054)
Solution: check that the parsed value is '=' as expected
          (Julio B)

Signed-off-by: Julio B &lt;julio.bacel@gmail.com&gt;
Signed-off-by: Christian Brabandt &lt;cb@256bit.org&gt;
diff --git a/src/term.c b/src/term.c
@@ -7136,7 +7136,9 @@ req_more_codes_from_term(void)
 }
 
 /*
- * Decode key code response from xterm: '<Esc>P1+r<name>=<string><Esc>\'.
+ * Decode key code response from xterm:
+ * '<Esc>P1+r<name>=<string><Esc>\' if it is enabled/supported
+ * '<Esc>P0+r<Esc>\'                if it not enabled
  * A "0" instead of the "1" indicates a code that isn't supported.
  * Both <name> and <string> are encoded in hex.
  * "code" points to the "0" or "1".
@@ -7152,8 +7154,9 @@ got_code_from_term(char_u *code, int len)
     int		c;
 
     // A '1' means the code is supported, a '0' means it isn't.
+    // If it is supported, there must be a '=' following
     // When half the length is > XT_LEN we can't use it.
-    if (code[0] == '1' && (code[7] || code[9] == '=') && len / 2 < XT_LEN)
+    if (code[0] == '1' && (code[7] == '=' || code[9] == '=') && len / 2 < XT_LEN)
     {
 	// Get the name from the response and find it in the table.
 	name[0] = hexhex2nr(code + 3);
diff --git a/src/version.c b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1082,
 /**/
     1081,
 /**/
