BBS:      TELESC.NET.BR
Assunto:  src/conio/cterm.c
De:       Deuc¨
Data:     Sun, 15 Mar 2026 22:51:38 -0700
-----------------------------------------------------------
https://gitlab.synchro.net/main/sbbs/-/commit/1ca9c740a257a2eb93f86bf9
Modified Files:
	src/conio/cterm.c
Log Message:
Fix uint64-to-int truncation and wrong variable in CSI parameter clamps

Six fixes for CSI sequence handlers where seq->param_int[] (uint64_t)
values could bypass bounds clamps:

ICH '@' (Insert Character): The clamp compared against cterm->width - j
where j is the Y/row coordinate  should be the X/column coordinate.
Replaced with TERM_MAXX - i + 1 (where i is the column), matching the
pattern DCH already uses. Without this fix, in tall narrow terminals
where row > width, the subtraction underflows to a huge uint64_t,
bypassing the clamp entirely and passing garbage to movetext().

IL 'L' (Insert Line): Added if(i < 1) break after i = seq->param_int[0].
The uint64-to-int assignment can produce negative values (e.g. param
0x80000000 becomes INT_MIN) that pass the i > TERM_MAXY - row check,
then cause integer overflow in movetext(... max_row - i ...).

DCH 'P' (Delete Character): Same truncation issue. Negative i bypasses
i > TERM_MAXX - col + 1, then overflows movetext(col2 + i, ...) and
cterm_gotoxy(TERM_MAXX - i, ...).

ECH 'X' (Erase Character): Negative i bypasses i > CURR_MAXX - col,
then malloc(negative * sizeof) promotes to a huge size_t allocation
that returns NULL, leading to a NULL dereference in vmem_puttext().

Shift Left ' @' and Shift Right ' A': Same truncation pattern. Negative
i bypasses the i > TERM_MAXX / i > cterm->width clamps, producing bad
movetext() coordinates.

All found via ANSI fuzz testing.

Co-Authored-By: Claude Opus 4.6 
n
---
  mSynchronetn  hgVertrauen n hHome of Synchronet n gh[vert/cvs/bbs].synchro.net

-----------------------------------------------------------
[Voltar]