[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [qemu-xen-4.0-testing] console: bounds check whenever changing the cursor due to an escape code
commit 091149d364e893e643a5da3175c3f84d2163cb3e Author: Ian Campbell <ian.campbell@xxxxxxxxxx> Date: Wed Sep 5 12:31:40 2012 +0100 console: bounds check whenever changing the cursor due to an escape code This is XSA-17 / CVE-2012-3515 Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx> (cherry picked from commit a56ae4b5069c7b23ee657b15f08443a9b14a8e7b) --- console.c | 57 ++++++++++++++++++++++++++++----------------------------- 1 files changed, 28 insertions(+), 29 deletions(-) diff --git a/console.c b/console.c index 5e6e3d0..9984d6f 100644 --- a/console.c +++ b/console.c @@ -794,6 +794,26 @@ static void console_clear_xy(TextConsole *s, int x, int y) update_xy(s, x, y); } +/* set cursor, checking bounds */ +static void set_cursor(TextConsole *s, int x, int y) +{ + if (x < 0) { + x = 0; + } + if (y < 0) { + y = 0; + } + if (y >= s->height) { + y = s->height - 1; + } + if (x >= s->width) { + x = s->width - 1; + } + + s->x = x; + s->y = y; +} + static void console_putchar(TextConsole *s, int ch) { TextCell *c; @@ -869,7 +889,8 @@ static void console_putchar(TextConsole *s, int ch) s->esc_params[s->nb_esc_params] * 10 + ch - '0'; } } else { - s->nb_esc_params++; + if (s->nb_esc_params < MAX_ESC_PARAMS) + s->nb_esc_params++; if (ch == ';') break; #ifdef DEBUG_CONSOLE @@ -883,59 +904,37 @@ static void console_putchar(TextConsole *s, int ch) if (s->esc_params[0] == 0) { s->esc_params[0] = 1; } - s->y -= s->esc_params[0]; - if (s->y < 0) { - s->y = 0; - } + set_cursor(s, s->x, s->y - s->esc_params[0]); break; case 'B': /* move cursor down */ if (s->esc_params[0] == 0) { s->esc_params[0] = 1; } - s->y += s->esc_params[0]; - if (s->y >= s->height) { - s->y = s->height - 1; - } + set_cursor(s, s->x, s->y + s->esc_params[0]); break; case 'C': /* move cursor right */ if (s->esc_params[0] == 0) { s->esc_params[0] = 1; } - s->x += s->esc_params[0]; - if (s->x >= s->width) { - s->x = s->width - 1; - } + set_cursor(s, s->x + s->esc_params[0], s->y); break; case 'D': /* move cursor left */ if (s->esc_params[0] == 0) { s->esc_params[0] = 1; } - s->x -= s->esc_params[0]; - if (s->x < 0) { - s->x = 0; - } + set_cursor(s, s->x - s->esc_params[0], s->y); break; case 'G': /* move cursor to column */ - s->x = s->esc_params[0] - 1; - if (s->x < 0) { - s->x = 0; - } + set_cursor(s, s->esc_params[0] - 1, s->y); break; case 'f': case 'H': /* move cursor to row, column */ - s->x = s->esc_params[1] - 1; - if (s->x < 0) { - s->x = 0; - } - s->y = s->esc_params[0] - 1; - if (s->y < 0) { - s->y = 0; - } + set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1); break; case 'J': switch (s->esc_params[0]) { -- generated by git-patchbot for /home/xen/git/qemu-xen-4.0-testing.git _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |