xref: /OK3568_Linux_fs/yocto/meta-openembedded/meta-oe/recipes-gnome/vte9/vte9/cve-2012-2738.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1Upstream-Status: Backport
2CVE: CVE-2012-2738
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From e524b0b3bd8fad844ffa73927c199545b892cdbd Mon Sep 17 00:00:00 2001
6From: Christian Persch <chpe@gnome.org>
7Date: Sat, 19 May 2012 19:36:09 +0200
8Subject: [PATCH 1/2] emulation: Limit integer arguments to 65535
9
10To guard against malicious sequences containing excessively big numbers,
11limit all parsed numbers to 16 bit range. Doing this here in the parsing
12routine is a catch-all guard; this doesn't preclude enforcing
13more stringent limits in the handlers themselves.
14
15https://bugzilla.gnome.org/show_bug.cgi?id=676090
16---
17 src/table.c  | 2 +-
18 src/vteseq.c | 2 +-
19 2 files changed, 2 insertions(+), 2 deletions(-)
20
21diff --git a/src/table.c b/src/table.c
22index 140e8c8..85cf631 100644
23--- a/src/table.c
24+++ b/src/table.c
25@@ -550,7 +550,7 @@ _vte_table_extract_numbers(GValueArray **array,
26 		if (G_UNLIKELY (*array == NULL)) {
27 			*array = g_value_array_new(1);
28 		}
29-		g_value_set_long(&value, total);
30+		g_value_set_long(&value, CLAMP (total, 0, G_MAXUSHORT));
31 		g_value_array_append(*array, &value);
32 	} while (i++ < arginfo->length);
33 	g_value_unset(&value);
34diff --git a/src/vteseq.c b/src/vteseq.c
35index 7ef4c8c..10991db 100644
36--- a/src/vteseq.c
37+++ b/src/vteseq.c
38@@ -557,7 +557,7 @@ vte_sequence_handler_multiple(VteTerminal *terminal,
39                               GValueArray *params,
40                               VteTerminalSequenceHandler handler)
41 {
42-        vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXLONG);
43+        vte_sequence_handler_multiple_limited(terminal, params, handler, G_MAXUSHORT);
44 }
45
46 static void
47--
482.4.9 (Apple Git-60)
49
50
51From cf1ad453a8def873c49cf6d88162593402f32bb2 Mon Sep 17 00:00:00 2001
52From: Christian Persch <chpe@gnome.org>
53Date: Sat, 19 May 2012 20:04:12 +0200
54Subject: [PATCH 2/2] emulation: Limit repetitions
55
56Don't allow malicious sequences to cause excessive repetitions.
57
58https://bugzilla.gnome.org/show_bug.cgi?id=676090
59---
60 src/vteseq.c | 25 ++++++++++++++++++-------
61 1 file changed, 18 insertions(+), 7 deletions(-)
62
63diff --git a/src/vteseq.c b/src/vteseq.c
64index 10991db..209522f 100644
65--- a/src/vteseq.c
66+++ b/src/vteseq.c
67@@ -1392,7 +1392,7 @@ vte_sequence_handler_dc (VteTerminal *terminal, GValueArray *params)
68 static void
69 vte_sequence_handler_DC (VteTerminal *terminal, GValueArray *params)
70 {
71-	vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_dc);
72+	vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_dc);
73 }
74
75 /* Delete a line at the current cursor position. */
76@@ -1785,7 +1785,7 @@ vte_sequence_handler_reverse_index (VteTerminal *terminal, GValueArray *params)
77 static void
78 vte_sequence_handler_RI (VteTerminal *terminal, GValueArray *params)
79 {
80-	vte_sequence_handler_multiple(terminal, params, vte_sequence_handler_nd);
81+	vte_sequence_handler_multiple_r(terminal, params, vte_sequence_handler_nd);
82 }
83
84 /* Save cursor (position). */
85@@ -2777,8 +2777,7 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params)
86 {
87 	GValue *value;
88 	VteScreen *screen;
89-	long param, end, row;
90-	int i;
91+	long param, end, row, i, limit;
92 	screen = terminal->pvt->screen;
93 	/* The default is one. */
94 	param = 1;
95@@ -2796,7 +2795,13 @@ vte_sequence_handler_insert_lines (VteTerminal *terminal, GValueArray *params)
96 	} else {
97 		end = screen->insert_delta + terminal->row_count - 1;
98 	}
99-	/* Insert the new lines at the cursor. */
100+
101+	/* Only allow to insert as many lines as there are between this row
102+         * and the end of the scrolling region. See bug #676090.
103+         */
104+        limit = end - row + 1;
105+        param = MIN (param, limit);
106+
107 	for (i = 0; i < param; i++) {
108 		/* Clear a line off the end of the region and add one to the
109 		 * top of the region. */
110@@ -2817,8 +2822,7 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params)
111 {
112 	GValue *value;
113 	VteScreen *screen;
114-	long param, end, row;
115-	int i;
116+	long param, end, row, i, limit;
117
118 	screen = terminal->pvt->screen;
119 	/* The default is one. */
120@@ -2837,6 +2841,13 @@ vte_sequence_handler_delete_lines (VteTerminal *terminal, GValueArray *params)
121 	} else {
122 		end = screen->insert_delta + terminal->row_count - 1;
123 	}
124+
125+        /* Only allow to delete as many lines as there are between this row
126+         * and the end of the scrolling region. See bug #676090.
127+         */
128+        limit = end - row + 1;
129+        param = MIN (param, limit);
130+
131 	/* Clear them from below the current cursor. */
132 	for (i = 0; i < param; i++) {
133 		/* Insert a line at the end of the region and remove one from
134--
1352.4.9 (Apple Git-60)
136
137