Forum: Zruspa's BBS

src/conio/cterm.c

From Deucе@1:103/705 to Git commit to main/sbbs/master on Sat Mar 14 18:14:10 2026

https://gitlab.synchro.net/main/sbbs/-/commit/ca8315b574aecac775cdeed7
Modified Files:
src/conio/cterm.c
Log Message:
Fix up DECRQCRA a bit

Better parameter validation, fix calculation in non-pixel mode.
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Sat Mar 14 18:14:10 2026

https://gitlab.synchro.net/main/sbbs/-/commit/4989d81de144af8c05fd37b8
Modified Files:
src/conio/cterm.c
Log Message:
Zero padding for DECRQCRA vmem_cell CRC

There's potentially padding in struct vmem_cell, which means the
crc may differ even if all the data is the same. Explicitly zero
the padding before CRC calculation.
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Sat Mar 14 18:14:10 2026

https://gitlab.synchro.net/main/sbbs/-/commit/bed40ce47064d9c18ba31af8
Modified Files:
src/conio/cterm.c
Log Message:
Add screenb pixels to crc

Blink vs. not blink should permute the crc.
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Sat Mar 14 23:32:40 2026

https://gitlab.synchro.net/main/sbbs/-/commit/d66235fc5c54446e0baa4177
Modified Files:
src/conio/cterm.c
Log Message:
A couple small fixes...

DECRQSS 's' had the wrong final byte in DECSLRM
CTSMRR didn't actually support 4 and 5.
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Sun Mar 15 01:06:05 2026

https://gitlab.synchro.net/main/sbbs/-/commit/d5f6d74b83317aa52edd776d
Modified Files:
src/conio/cterm.c
Log Message:
Fix musicbuf overflow and pixel checksum bounds in cterm.c

musicbuf overflow (line 5930): ANSI music mode (triggered by ESC[|,
ESC[N, or ESC[M with no params) appends each music character to
musicbuf[1024] via strcat with no length check. A malicious server
can send >1023 music characters to overflow the buffer. Add a
bounds check before the strcat.

Pixel checksum bounds (lines 3689/3691): The bounds checks for
param_int[2] and param_int[4] (row parameters) were comparing
against charwidth*width (the column pixel limit) instead of
charheight*height (the row pixel limit). This made the check too
permissive on wide screens and too strict on tall ones.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Sun Mar 15 16:01:53 2026

https://gitlab.synchro.net/main/sbbs/-/commit/562ed4bd1dde9067de65da78
Modified Files:
src/conio/cterm.c
Log Message:
Fix ATASCII cursor movement wrap behavior and backspace

Cursor movement (up/down/left/right) wraps to the opposite edge of the
same row or column, matching real Atari hardware behavior. Backspace
does not wrap — it sticks at the left margin.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Sun Mar 15 20:35:47 2026

https://gitlab.synchro.net/main/sbbs/-/commit/d0be28bdfbb1b0c26ce8a723
Modified Files:
src/conio/cterm.c
Log Message:
Clamp SU/SD scroll count to scroll region height

CSI Ps S (Scroll Up) and CSI Ps T (Scroll Down) looped param_int[0]
times calling cterm_scrollup()/scrolldown() individually. With a huge
parameter (e.g. ESC[65536T), this performed tens of thousands of
movetext + clear operations, hanging the terminal for seconds — a low-bandwidth DoS from a 9-byte sequence.

Clamp the count to TERM_MAXY (the scroll region height). Scrolling
more lines than the region contains is equivalent to clearing it.
This matches how IL, DL, ICH, and DCH all clamp their counts already.

Found by ANSI fuzz testing (termtest.js).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Sun Mar 15 20:35:47 2026

https://gitlab.synchro.net/main/sbbs/-/commit/1105669b6db24c1bc1f73351
Modified Files:
src/conio/cterm.c
Log Message:
Fix integer overflow in dellines() clamp check

The check (sy + lines - 1) > maxy overflows when lines is near
INT_MAX (e.g. ESC[2147483647M), wrapping to negative and bypassing
the clamp. The unclamped value then causes the clear loop at line 1075
to iterate ~2 billion times (TERM_MAXY - lines + 1 goes hugely
negative, looping up to TERM_MAXY).

Rearrange to lines > maxy - sy + 1, which cannot overflow since
maxy >= sy is guaranteed by the prior bounds check.

Found by ANSI fuzz testing (termtest.js).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Sun Mar 15 20:35:47 2026

https://gitlab.synchro.net/main/sbbs/-/commit/5f54bde4ef38428075e84e60
Modified Files:
src/conio/cterm.c
Log Message:
Clamp CHT/CVT/CBT tab count to width * height

CSI Ps I (Cursor Forward Tabulation), CSI Ps Y (Cursor Line
Tabulation), and CSI Ps Z (Cursor Backward Tabulation) looped
param_int[0] times calling do_tab()/do_backtab(). With a huge
parameter, CHT/CVT would perform billions of tab-then-scroll-up
cycles (do_tab wraps and scrolls at the bottom margin), while CBT
would perform billions of gotoxy() calls.

Clamp the count to width * height. This preserves the legitimate
behavior of tabbing across line boundaries with scrolling, while
preventing a DoS from huge parameters. Any count beyond width * height
just scrolls blank lines off the top repeatedly.

Found by ANSI fuzz testing (termtest.js).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Sun Mar 15 22:51:38 2026

https://gitlab.synchro.net/main/sbbs/-/commit/1ca9c740a257a2eb93f86bf9
Modified Files:
src/conio/cterm.c
Log Message:
Fix uint64-to-int truncation and wrong variable in CSI parameter clamps

Six fixes for CSI sequence handlers where seq->param_int[] (uint64_t)
values could bypass bounds clamps:

ICH '@' (Insert Character): The clamp compared against cterm->width - j
where j is the Y/row coordinate — should be the X/column coordinate.
Replaced with TERM_MAXX - i + 1 (where i is the column), matching the
pattern DCH already uses. Without this fix, in tall narrow terminals
where row > width, the subtraction underflows to a huge uint64_t,
bypassing the clamp entirely and passing garbage to movetext().

IL 'L' (Insert Line): Added if(i < 1) break after i = seq->param_int[0].
The uint64-to-int assignment can produce negative values (e.g. param
0x80000000 becomes INT_MIN) that pass the i > TERM_MAXY - row check,
then cause integer overflow in movetext(... max_row - i ...).

DCH 'P' (Delete Character): Same truncation issue. Negative i bypasses
i > TERM_MAXX - col + 1, then overflows movetext(col2 + i, ...) and cterm_gotoxy(TERM_MAXX - i, ...).

ECH 'X' (Erase Character): Negative i bypasses i > CURR_MAXX - col,
then malloc(negative * sizeof) promotes to a huge size_t allocation
that returns NULL, leading to a NULL dereference in vmem_puttext().

Shift Left ' @' and Shift Right ' A': Same truncation pattern. Negative
i bypasses the i > TERM_MAXX / i > cterm->width clamps, producing bad movetext() coordinates.

All found via ANSI fuzz testing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Who's Online

System Info

Sysop:	Angel Ripoll
Location:	Madrid, Spain
Users:	18
Nodes:	8 (0 / 8)
Uptime:	492635:28:30
Calls:	1,153
Files:	1,671
D/L today:	3 files (10K bytes)
Messages:	66,884

src/conio/cterm.c

Who's Online

System Info