From owner-freebsd-bugs@freebsd.org Mon Sep 14 09:31:14 2015 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5FA3AA03DC7 for ; Mon, 14 Sep 2015 09:31:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4C3B21D04 for ; Mon, 14 Sep 2015 09:31:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t8E9VEfe001479 for ; Mon, 14 Sep 2015 09:31:14 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 202326] libteken assert() fail and result in kernel panic Date: Mon, 14 Sep 2015 09:31:14 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Sep 2015 09:31:14 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202326 --- Comment #9 from commit-hook@freebsd.org --- A commit references this bug: Author: ed Date: Mon Sep 14 09:31:01 UTC 2015 New revision: 287777 URL: https://svnweb.freebsd.org/changeset/base/287777 Log: MFC r286798 and r286827: Stop parsing digits if the value already exceeds UINT_MAX / 100. There is no need for us to support parsing values that are larger than the maximum terminal window size. In this case that would be the maximum of unsigned short. The problem with parsing larger values is that they can cause integer overflows when adjusting the cursor position, leading to all sorts of failing assertions. MFC r286981 and r287098: Don't truncate cursor arithmetic to 16 bits. When updating the row number when the cursor position escape sequence is issued, we should make sure to store the intermediate result in a 32-bit integer. If we fail to do this, the cursor may be set above the origin region, which is bad. This could cause libteken to crash when INVARIANTS is enabled, due to the strict set of assertions that libteken has. PR: 202326, 202540, 202612 Submitted by: kwcu csie org Changes: _U stable/9/ _U stable/9/sys/ stable/9/sys/teken/teken.c stable/9/sys/teken/teken_subr.h -- You are receiving this mail because: You are the assignee for the bug.