3.1c.

Do not write after the end of the array and overwrite the stack when
colon-separated SGR sequences contain empty arguments. Reported by Sergey Nizovtsev.
2025-06-24 00:00:51 -04:00 · 2020-10-30 12:11:02 +00:00 · 2020-10-30 12:09:52 +00:00
3 changed files with 11 additions and 2 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
 CHANGED FROM 3.1b TO 3.1c
 * Fix a stack overflow on colon-separated CSI parsing.
 CHANGES FROM 3.1a TO 3.1b
 * Fix build on systems without sys/queue.h.
--- a/configure.ac
+++ b/configure.ac
@ -1,6 +1,6 @@
 # configure.ac
-AC_INIT([tmux], 3.1b)
+AC_INIT([tmux], 3.1c)
 AC_PREREQ([2.60])
 AC_CONFIG_AUX_DIR(etc)
--- a/input.c
+++ b/input.c
@ -1929,8 +1929,13 @@ input_csi_dispatch_sgr_colon(struct input_ctx *ictx, u_int i)
 				free(copy);
 				return;
 			}
-		} else
+		} else {
 			n++;
 			if (n == nitems(p)) {
 				free(copy);
 				return;
 			}
 		}
 		log_debug("%s: %u = %d", __func__, n - 1, p[n - 1]);
 	}
 	free(copy);
Author	SHA1	Message	Date
Nicholas Marriott	25cae5d86f	3.1c.	2020-10-30 12:11:02 +00:00
nicm	d0ad34e94d	Do not write after the end of the array and overwrite the stack when colon-separated SGR sequences contain empty arguments. Reported by Sergey Nizovtsev.	2020-10-30 12:09:52 +00:00