patch 9.2.0279: terminal: out-of-bounds write with overlong CSI argument list

Problem:  libvterm CSI parser does not bounds-check argi against
          CSI_ARGS_MAX, allowing excess ';'-separated arguments to
          write past the end of the args array (sentinel404).
Solution: Drop excess arguments.

Supported by AI

Signed-off-by: Christian Brabandt <[email protected]>

Author: chrisbra

src/libvterm/src/parser.c

@@ -241,6 +241,8 @@ size_t vterm_input_write(VTerm *vt, const char *bytes, size_t len)
         c = ';';
       }
       if(c == ';') {
+        if(vt->parser.v.csi.argi >= CSI_ARGS_MAX - 1)
+          break; /* drop excess args */
         vt->parser.v.csi.argi++;
         vt->parser.v.csi.args[vt->parser.v.csi.argi] = CSI_ARG_MISSING;
         break;

src/testdir/test_terminal3.vim

@@ -1229,4 +1229,15 @@ func Test_term_autowrite()
   set noautowrite
 endfunc
 
+" Test that CSI sequences with more than CSI_ARGS_MAX arguments do not crash
+func Test_terminal_csi_args_overflow()
+  CheckExecutable printf
+  let buf = term_start([&shell, &shellcmdflag,
+        \ 'printf "\033[' . repeat('1;', 49) . '1m"'])
+
+  " If we get here without a crash, the fix works
+  call assert_equal('running', term_getstatus(buf))
+  call StopVimInTerminal(buf)
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

src/version.c

@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    279,
 /**/
     278,
 /**/