svn commit: r344309 - head/sys/teken

[Ed Schouten]

Author: ed
Date: Tue Feb 19 21:58:23 2019
New Revision: 344309
URL: https://svnweb.freebsd.org/changeset/base/344309

Log:
  Place an upper bound on the number of iterations for REP.
  
  Right now it's possible to invoke the REP escape sequence with a maximum
  of tens of millions of iterations. In practice, there is never any need
  to do this. Calling it more frequently than the number of cells in the
  terminal hardly makes any sense. By placing a limit on it, we can
  prevent users from exhausting resources in inside the terminal emulator.
  
  As support for this escape sequence is not present in any of the stable
  branches, there is no need to MFC.
  
  Reported by:	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11255

Modified:
  head/sys/teken/teken_subr.h

Modified: head/sys/teken/teken_subr.h
==============================================================================
--- head/sys/teken/teken_subr.h	Tue Feb 19 21:49:48 2019	(r344308)
+++ head/sys/teken/teken_subr.h	Tue Feb 19 21:58:23 2019	(r344309)
@@ -1337,8 +1337,11 @@ teken_subr_vertical_position_absolute(teken_t *t, unsi
 static void
 teken_subr_repeat_last_graphic_char(teken_t *t, unsigned int rpts)
 {
+	unsigned int max_repetitions;
 
+	max_repetitions = t->t_winsize.tp_row * t->t_winsize.tp_col;
+	if (rpts > max_repetitions)
+		rpts = max_repetitions;
 	for (; t->t_last != 0 && rpts > 0; rpts--)
 		teken_subr_regular_character(t, t->t_last);
 }
-