From 6d997f8068a89703823f1572c56a6331c9e024aa Mon Sep 17 00:00:00 2001
From: Gregory Anders <8965202+gpanders@users.noreply.github.com>
Date: Mon, 19 Aug 2024 06:43:06 -0500
Subject: fix(terminal): handle C0 characters in OSC terminator (#30090)

When a C0 character is present in an OSC terminator (i.e. after the ESC
but before a \ (0x5c) or printable character), vterm executes the
control character and resets the current string fragment. If the C0
character is the final byte in the sequence, the string fragment has a
zero length. However, because the VT parser is still in the "escape"
state, vterm attempts to subtract 1 from the string length (to account
for the escape character). When the string fragment is empty, this
causes an underflow in the unsigned size variable, resulting in a buffer
overflow.

The fix is simple: explicitly check if the string length is non-zero
before subtracting.
---
 src/nvim/terminal.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/nvim/terminal.c')

diff --git a/src/nvim/terminal.c b/src/nvim/terminal.c
index 2b44763ddd..43f68f7321 100644
--- a/src/nvim/terminal.c
+++ b/src/nvim/terminal.c
@@ -271,10 +271,11 @@ static int parse_osc8(VTermStringFragment frag, int *attr)
 }
 
 static int on_osc(int command, VTermStringFragment frag, void *user)
+  FUNC_ATTR_NONNULL_ALL
 {
   Terminal *term = user;
 
-  if (frag.str == NULL) {
+  if (frag.str == NULL || frag.len == 0) {
     return 0;
   }
 
-- 
cgit