Group :: Sistema/Bibliotecas
RPM: libvterm
Main Changelog Spec Patches Sources Download Gear Bugs e FR Repocop
Patch: 0001-ALT-Fix-CVE-2018-20786.patch
Download
Download
From 8abe53cf4850955f9cc9ce1b3b1305f209d7858c Mon Sep 17 00:00:00 2001
From: "Vladimir D. Seleznev" <vseleznv@altlinux.org>
Date: Thu, 12 Sep 2019 21:12:25 +0300
Subject: [PATCH] ALT Fix CVE-2018-20786
Fix crash when out of memory while opening a terminal window.
Based on cd929f7ba8cc5b6d6dcf35c8b34124e969fed6b8 of https://github.com/vim/vim.
---
libvert/src/screen.c | 25 ++++++++++++++++---------
libvert/src/state.c | 9 +++++++++
2 files changed, 25 insertions(+), 9 deletions(-)
diff --git a/libvert/src/screen.c b/libvert/src/screen.c
index 8cb8c46..f305dad 100644
--- a/libvert/src/screen.c
+++ b/libvert/src/screen.c
@@ -94,8 +94,7 @@ static ScreenCell *realloc_buffer(VTermScreen *screen, ScreenCell *buffer, int n
}
}
- if(buffer)
- vterm_allocator_free(screen->vt, buffer);
+ vterm_allocator_free(screen->vt, buffer);
return new_buffer;
}
@@ -517,8 +516,7 @@ static int resize(int new_rows, int new_cols, VTermPos *delta, void *user)
screen->rows = new_rows;
screen->cols = new_cols;
- if(screen->sb_buffer)
- vterm_allocator_free(screen->vt, screen->sb_buffer);
+ vterm_allocator_free(screen->vt, screen->sb_buffer);
screen->sb_buffer = vterm_allocator_malloc(screen->vt, sizeof(VTermScreenCell) * new_cols);
@@ -619,13 +617,20 @@ static VTermStateCallbacks state_cbs = {
.setlineinfo = &setlineinfo,
};
+/*
+ * Allocate a new screen and return it.
+ * Return NULL when out of memory.
+ */
static VTermScreen *screen_new(VTerm *vt)
{
VTermState *state = vterm_obtain_state(vt);
- if(!state)
+ if (state == NULL)
return NULL;
VTermScreen *screen = vterm_allocator_malloc(vt, sizeof(VTermScreen));
+ if (screen == NULL)
+ return NULL;
+
int rows, cols;
vterm_get_size(vt, &rows, &cols);
@@ -648,6 +653,11 @@ static VTermScreen *screen_new(VTerm *vt)
screen->buffer = screen->buffers[0];
screen->sb_buffer = vterm_allocator_malloc(screen->vt, sizeof(VTermScreenCell) * cols);
+ if (screen->buffer == NULL || screen->sb_buffer == NULL)
+ {
+ vterm_screen_free(screen);
+ return NULL;
+ }
vterm_state_set_callbacks(screen->state, &state_cbs, screen);
@@ -657,11 +667,8 @@ static VTermScreen *screen_new(VTerm *vt)
INTERNAL void vterm_screen_free(VTermScreen *screen)
{
vterm_allocator_free(screen->vt, screen->buffers[0]);
- if(screen->buffers[1])
- vterm_allocator_free(screen->vt, screen->buffers[1]);
-
+ vterm_allocator_free(screen->vt, screen->buffers[1]);
vterm_allocator_free(screen->vt, screen->sb_buffer);
-
vterm_allocator_free(screen->vt, screen);
}
diff --git a/libvert/src/state.c b/libvert/src/state.c
index 68cc4f6..ad61c90 100644
--- a/libvert/src/state.c
+++ b/libvert/src/state.c
@@ -52,6 +52,8 @@ static VTermState *vterm_state_new(VTerm *vt)
{
VTermState *state = vterm_allocator_malloc(vt, sizeof(VTermState));
+ if (state == NULL)
+ return NULL;
state->vt = vt;
state->rows = vt->rows;
@@ -1665,12 +1667,19 @@ static const VTermParserCallbacks parser_callbacks = {
.resize = on_resize,
};
+/*
+ * Return the existing state or create a new one.
+ * Returns NULL when out of memory.
+ */
VTermState *vterm_obtain_state(VTerm *vt)
{
if(vt->state)
return vt->state;
VTermState *state = vterm_state_new(vt);
+ if (state == NULL)
+ return NULL;
+
vt->state = state;
state->combine_chars_size = 16;
--
2.21.0