Blame 0224-TextConsole-saturate-escape-parameter-in-TTY_STATE_C.patch

5544c1
From 93eaa3c8e14988fb38dfa9ae35067472bfd089b8 Mon Sep 17 00:00:00 2001
5544c1
From: Laszlo Ersek <lersek@redhat.com>
5544c1
Date: Mon, 17 Sep 2012 11:10:03 +0200
5544c1
Subject: [PATCH] TextConsole: saturate escape parameter in TTY_STATE_CSI
5544c1
5544c1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
5544c1
Reviewed-by: Markus Armbruster <armbru@redhat.com>
5544c1
Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com>
5544c1
(cherry picked from commit c10600af60865ba6c60987be313102ebb5fcee57)
5544c1
5544c1
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
5544c1
---
5544c1
 console.c | 7 +++++--
5544c1
 1 file changed, 5 insertions(+), 2 deletions(-)
5544c1
5544c1
diff --git a/console.c b/console.c
5544c1
index 8b5e21d..314f5a5 100644
5544c1
--- a/console.c
5544c1
+++ b/console.c
5544c1
@@ -937,8 +937,11 @@ static void console_putchar(TextConsole *s, int ch)
5544c1
     case TTY_STATE_CSI: /* handle escape sequence parameters */
5544c1
         if (ch >= '0' && ch <= '9') {
5544c1
             if (s->nb_esc_params < MAX_ESC_PARAMS) {
5544c1
-                s->esc_params[s->nb_esc_params] =
5544c1
-                    s->esc_params[s->nb_esc_params] * 10 + ch - '0';
5544c1
+                int *param = &s->esc_params[s->nb_esc_params];
5544c1
+                int digit = (ch - '0');
5544c1
+
5544c1
+                *param = (*param <= (INT_MAX - digit) / 10) ?
5544c1
+                         *param * 10 + digit : INT_MAX;
5544c1
             }
5544c1
         } else {
5544c1
             if (s->nb_esc_params < MAX_ESC_PARAMS)
5544c1
-- 
5544c1
1.7.12.1
5544c1