Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure cursor is clamped after buffer swap #124

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Ensure cursor is clamped after buffer swap #124

wants to merge 1 commit into from

Commits on Jun 19, 2021

  1. Ensure cursor is clamped after buffer swap 

    vt_resize resizes both buffers of the given Vt* (involving a realloc),
but can only correctly clamp the cursor of the active buffer. This means
that when it comes time to switch to the other buffer in
interpret_csi_priv_mode, we might be switching to a buffer which has a
cursor pointing to old memory. Thus, when we switch buffers it's
necessary to ensure the cursor is clamped to avoid memory errors.

This is a bug I've observed for a few years but never often enough to
worry me. After I was able to pin it down to activities such as opening
of manpages and resizing terminals, I boiled it down to be reproducible
as:

1. Open a manpage in dvtm, buffer swap to alt
2. Close the manpage and return to the shell, buffer swaps to norm
3. Resize the pane to have fewer rows than before, alt+norm are resized
   but only norm has its cursor clamped
4. Open a manpage again, UAF causes crash since unclamped curs_row on
   alt buffer is still pointing to before-resize allocation

With some exploratory testing I have seen crashes identical and nearly
identical to the following fixed by this patch:

* martanne#73
* martanne#74
    @phillid
    phillid committed Jun 19, 2021
    Configuration menu
    Copy the full SHA
    6439b1c View commit details
    Browse the repository at this point in the history