From 6d997f8068a89703823f1572c56a6331c9e024aa Mon Sep 17 00:00:00 2001
From: Gregory Anders <8965202+gpanders@users.noreply.github.com>
Date: Mon, 19 Aug 2024 06:43:06 -0500
Subject: fix(terminal): handle C0 characters in OSC terminator (#30090)

When a C0 character is present in an OSC terminator (i.e. after the ESC
but before a \ (0x5c) or printable character), vterm executes the
control character and resets the current string fragment. If the C0
character is the final byte in the sequence, the string fragment has a
zero length. However, because the VT parser is still in the "escape"
state, vterm attempts to subtract 1 from the string length (to account
for the escape character). When the string fragment is empty, this
causes an underflow in the unsigned size variable, resulting in a buffer
overflow.

The fix is simple: explicitly check if the string length is non-zero
before subtracting.
---
 test/functional/terminal/parser_spec.lua | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 test/functional/terminal/parser_spec.lua

(limited to 'test')

diff --git a/test/functional/terminal/parser_spec.lua b/test/functional/terminal/parser_spec.lua
new file mode 100644
index 0000000000..67f47c7888
--- /dev/null
+++ b/test/functional/terminal/parser_spec.lua
@@ -0,0 +1,15 @@
+local n = require('test.functional.testnvim')()
+
+local clear = n.clear
+local api = n.api
+local assert_alive = n.assert_alive
+
+describe(':terminal', function()
+  before_each(clear)
+
+  it('handles invalid OSC terminators #30084', function()
+    local chan = api.nvim_open_term(0, {})
+    api.nvim_chan_send(chan, '\027]8;;https://example.com\027\\Example\027]8;;\027\n')
+    assert_alive()
+  end)
+end)
-- 
cgit