From 3fce280b80daecff7bcfa5e5b57c02eaa51ef001 Mon Sep 17 00:00:00 2001 From: Christian Persch Date: Fri, 5 Jul 2024 15:31:41 +0800 Subject: [PATCH] fix CVE-2024-37535 --- src/vtegtk.cc | 34 ++++++++++++++++++++++++++++++++++ src/vteseq.cc | 16 ++++++++++------ 2 files changed, 44 insertions(+), 6 deletions(-) diff --git a/src/vtegtk.cc b/src/vtegtk.cc index 2e68597..9350183 100644 --- a/src/vtegtk.cc +++ b/src/vtegtk.cc @@ -73,6 +73,38 @@ #define _VTE_PARAM_DEPRECATED (_vte_debug_on(VTE_DEBUG_SIGNALS) ? G_PARAM_DEPRECATED : 0) #define VTE_TERMINAL_CSS_NAME "vte-terminal" +static inline void +sanitise_widget_size_request(int* minimum, + int* natural) noexcept +{ + // Overly large size requests will make gtk happily allocate + // a window size over the window system's limits (see + // e.g. https://gitlab.gnome.org/GNOME/vte/-/issues/2786), + // leading to aborting the whole process. + // The toolkit should be in a better position to know about + // these limits and not exceed them (which here is certainly + // possible since our minimum sizes are very small), let's + // limit the widget's size request to some large value + // that hopefully is within the absolute limits of + // the window system (assumed here to be int16 range, + // and leaving some space for the widgets that contain + // the terminal). + auto const limit = (1 << 15) - (1 << 12); + + if (*minimum > limit || *natural > limit) { + static auto warned = false; + + if (!warned) { + g_warning("Widget size request (minimum %d, natural %d) exceeds limits\n", + *minimum, *natural); + warned = true; + } + } + + *minimum = std::min(*minimum, limit); + *natural = std::clamp(*natural, *minimum, limit); +} + struct _VteTerminalClassPrivate { GtkStyleProvider *fallback_style_provider; @@ -405,6 +437,7 @@ try { VteTerminal *terminal = VTE_TERMINAL(widget); WIDGET(terminal)->get_preferred_width(minimum_width, natural_width); + sanitise_widget_size_request(minimum_width, natural_width); } catch (...) { @@ -419,6 +452,7 @@ try { VteTerminal *terminal = VTE_TERMINAL(widget); WIDGET(terminal)->get_preferred_height(minimum_height, natural_height); + sanitise_widget_size_request(minimum_height, natural_height); } catch (...) { diff --git a/src/vteseq.cc b/src/vteseq.cc index 6e7cb87..ac5c71e 100644 --- a/src/vteseq.cc +++ b/src/vteseq.cc @@ -211,7 +211,16 @@ void Terminal::emit_resize_window(guint columns, guint rows) { - _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window'.\n"); + // Ignore resizes with excessive number of rows or columns, + // see https://gitlab.gnome.org/GNOME/vte/-/issues/2786 + if (columns < 2 || + columns > 511 || + rows < 1 || + rows > 511) + return; + + _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window' %d columns %d rows.\n", + columns, rows); g_signal_emit(m_terminal, signals[SIGNAL_RESIZE_WINDOW], 0, columns, rows); } @@ -4476,8 +4485,6 @@ Terminal::DECSLPP(vte::parser::Sequence const& seq) else if (param < 24) return; - _vte_debug_print(VTE_DEBUG_EMULATION, "Resizing to %d rows.\n", param); - emit_resize_window(m_column_count, param); } @@ -8688,9 +8695,6 @@ Terminal::XTERM_WM(vte::parser::Sequence const& seq) seq.collect(1, {&height, &width}); if (width != -1 && height != -1) { - _vte_debug_print(VTE_DEBUG_EMULATION, - "Resizing window to %d columns, %d rows.\n", - width, height); emit_resize_window(width, height); } break; -- 2.27.0