From cb3b717258d97fd05cd8be2676ad87bbf12b7511 Mon Sep 17 00:00:00 2001
From: Christian Duerr <contact@christianduerr.com>
Date: Sun, 1 Mar 2020 23:25:37 +0000
Subject: Fix OOB in DCS parser

This resolves an issue with parsing of DCS escapes, where it would try
to write parameters beyond the maximum parameter count limit.

Fixes #50.
---
 src/lib.rs | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib.rs b/src/lib.rs
index af1682e..30708ca 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -202,8 +202,12 @@ impl Parser {
             Action::Print => performer.print(byte as char),
             Action::Execute => performer.execute(byte),
             Action::Hook => {
-                self.params[self.num_params] = self.param;
-                self.num_params += 1;
+                if self.num_params == MAX_PARAMS {
+                    self.ignoring = true;
+                } else {
+                    self.params[self.num_params] = self.param;
+                    self.num_params += 1;
+                }
 
                 performer.hook(self.params(), self.intermediates(), self.ignoring, byte as char);
             },
@@ -582,6 +586,25 @@ mod tests {
         }
     }
 
+    #[test]
+    fn parse_dcs_max_params() {
+        static INPUT: &[u8] = b"\x1bP1;1;1;1;1;1;1;1;1;1;1;1;1;1;1;1;1;p\x1b";
+        let mut dispatcher = DcsDispatcher::default();
+        let mut parser = Parser::new();
+
+        for byte in INPUT {
+            parser.advance(&mut dispatcher, *byte);
+        }
+
+        // Check that flag is set and thus osc_dispatch assertions ran.
+        assert!(dispatcher.ignore);
+        assert!(dispatcher.dispatched_dcs);
+        assert_eq!(dispatcher.params.len(), MAX_PARAMS);
+        for param in dispatcher.params.iter() {
+            assert_eq!(*param, 1);
+        }
+    }
+
     #[test]
     fn osc_bell_terminated() {
         static INPUT: &[u8] = b"\x1b]11;ff/00/ff\x07";
-- 
cgit