patch 9.2.0288: libvterm: signed integer overflow parsing long CSI args

chrisbra · mattn · chrisbra · commit 71a0a552cf08 · 2026-04-03T09:36:56.000Z
Problem:  Accumulating CSI argument digits without an upper bound causes
          signed integer overflow when the argument exceeds LONG_MAX.
Solution: Clamp CSI argument accumulation to CSI_ARG_MISSING to prevent
          signed integer overflow (Yasuhiro Matsumoto).

closes: #19894

Co-authored-by: Yasuhiro Matsumoto &lt;mattn.jp@gmail.com&gt;
Signed-off-by: Christian Brabandt &lt;cb@256bit.org&gt;
diff --git a/src/libvterm/src/parser.c b/src/libvterm/src/parser.c
@@ -232,8 +232,10 @@ size_t vterm_input_write(VTerm *vt, const char *bytes, size_t len)
       if(c >= '0' && c <= '9') {
         if(vt->parser.v.csi.args[vt->parser.v.csi.argi] == CSI_ARG_MISSING)
           vt->parser.v.csi.args[vt->parser.v.csi.argi] = 0;
-        vt->parser.v.csi.args[vt->parser.v.csi.argi] *= 10;
-        vt->parser.v.csi.args[vt->parser.v.csi.argi] += c - '0';
+        if(vt->parser.v.csi.args[vt->parser.v.csi.argi] < (CSI_ARG_MISSING - 9) / 10) {
+          vt->parser.v.csi.args[vt->parser.v.csi.argi] *= 10;
+          vt->parser.v.csi.args[vt->parser.v.csi.argi] += c - '0';
+        }
         break;
       }
       if(c == ':') {
diff --git a/src/version.c b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    288,
 /**/
     287,
 /**/
