svn commit: r286981 - head/sys/teken
Ed Schouten
ed at FreeBSD.org
Fri Aug 21 06:30:14 UTC 2015
Author: ed
Date: Fri Aug 21 06:30:13 2015
New Revision: 286981
URL: https://svnweb.freebsd.org/changeset/base/286981
Log:
Don't truncate cursor arithmetic to 16 bits.
When updating the row number when the cursor position escape sequence is
issued, we should make sure to store the intermediate result in a 32-bit
integer. If we fail to do this, the cursor may be set above the origin
region, which is bad.
This could cause libteken to crash when INVARIANTS is enabled, due to
the strict set of assertions that libteken has.
PR: 202540
Reported by: kcwu csie org
MFC after: 1 month
Modified:
head/sys/teken/teken_subr.h
Modified: head/sys/teken/teken_subr.h
==============================================================================
--- head/sys/teken/teken_subr.h Fri Aug 21 05:03:03 2015 (r286980)
+++ head/sys/teken/teken_subr.h Fri Aug 21 06:30:13 2015 (r286981)
@@ -324,13 +324,13 @@ static void
teken_subr_cursor_position(teken_t *t, unsigned int row, unsigned int col)
{
- t->t_cursor.tp_row = t->t_originreg.ts_begin + row - 1;
- if (t->t_cursor.tp_row >= t->t_originreg.ts_end)
- t->t_cursor.tp_row = t->t_originreg.ts_end - 1;
-
- t->t_cursor.tp_col = col - 1;
- if (t->t_cursor.tp_col >= t->t_winsize.tp_col)
- t->t_cursor.tp_col = t->t_winsize.tp_col - 1;
+ row = row - 1 + t->t_originreg.ts_begin;
+ t->t_cursor.tp_row = row < t->t_originreg.ts_end ?
+ row : t->t_originreg.ts_end - 1;
+
+ col--;
+ t->t_cursor.tp_col = col < t->t_winsize.tp_col ?
+ col : t->t_winsize.tp_col - 1;
t->t_stateflags &= ~TS_WRAPPED;
teken_funcs_cursor(t);
More information about the svn-src-all
mailing list