Date: Mon, 14 Sep 2015 09:13:08 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 202326] libteken assert() fail and result in kernel panic Message-ID: <bug-202326-8-8sDCGQI1q1@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-202326-8@https.bugs.freebsd.org/bugzilla/> References: <bug-202326-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202326 --- Comment #8 from commit-hook@freebsd.org --- A commit references this bug: Author: ed Date: Mon Sep 14 09:12:29 UTC 2015 New revision: 287776 URL: https://svnweb.freebsd.org/changeset/base/287776 Log: MFC r286798 and r286827: Stop parsing digits if the value already exceeds UINT_MAX / 100. There is no need for us to support parsing values that are larger than the maximum terminal window size. In this case that would be the maximum of unsigned short. The problem with parsing larger values is that they can cause integer overflows when adjusting the cursor position, leading to all sorts of failing assertions. MFC r286981 and r287098: Don't truncate cursor arithmetic to 16 bits. When updating the row number when the cursor position escape sequence is issued, we should make sure to store the intermediate result in a 32-bit integer. If we fail to do this, the cursor may be set above the origin region, which is bad. This could cause libteken to crash when INVARIANTS is enabled, due to the strict set of assertions that libteken has. PR: 202326, 202540, 202612 Submitted by: kwcu csie org Changes: _U stable/10/ stable/10/sys/teken/teken.c stable/10/sys/teken/teken_subr.h -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-202326-8-8sDCGQI1q1>