114 lines
4.1 KiB
Diff
114 lines
4.1 KiB
Diff
From 3fce280b80daecff7bcfa5e5b57c02eaa51ef001 Mon Sep 17 00:00:00 2001
|
|
From: Christian Persch <Christian Persch@chpe>
|
|
Date: Fri, 5 Jul 2024 15:31:41 +0800
|
|
Subject: [PATCH] fix CVE-2024-37535
|
|
|
|
---
|
|
src/vtegtk.cc | 34 ++++++++++++++++++++++++++++++++++
|
|
src/vteseq.cc | 16 ++++++++++------
|
|
2 files changed, 44 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/src/vtegtk.cc b/src/vtegtk.cc
|
|
index 2e68597..9350183 100644
|
|
--- a/src/vtegtk.cc
|
|
+++ b/src/vtegtk.cc
|
|
@@ -73,6 +73,38 @@
|
|
#define _VTE_PARAM_DEPRECATED (_vte_debug_on(VTE_DEBUG_SIGNALS) ? G_PARAM_DEPRECATED : 0)
|
|
|
|
#define VTE_TERMINAL_CSS_NAME "vte-terminal"
|
|
+static inline void
|
|
+sanitise_widget_size_request(int* minimum,
|
|
+ int* natural) noexcept
|
|
+{
|
|
+ // Overly large size requests will make gtk happily allocate
|
|
+ // a window size over the window system's limits (see
|
|
+ // e.g. https://gitlab.gnome.org/GNOME/vte/-/issues/2786),
|
|
+ // leading to aborting the whole process.
|
|
+ // The toolkit should be in a better position to know about
|
|
+ // these limits and not exceed them (which here is certainly
|
|
+ // possible since our minimum sizes are very small), let's
|
|
+ // limit the widget's size request to some large value
|
|
+ // that hopefully is within the absolute limits of
|
|
+ // the window system (assumed here to be int16 range,
|
|
+ // and leaving some space for the widgets that contain
|
|
+ // the terminal).
|
|
+ auto const limit = (1 << 15) - (1 << 12);
|
|
+
|
|
+ if (*minimum > limit || *natural > limit) {
|
|
+ static auto warned = false;
|
|
+
|
|
+ if (!warned) {
|
|
+ g_warning("Widget size request (minimum %d, natural %d) exceeds limits\n",
|
|
+ *minimum, *natural);
|
|
+ warned = true;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ *minimum = std::min(*minimum, limit);
|
|
+ *natural = std::clamp(*natural, *minimum, limit);
|
|
+}
|
|
+
|
|
|
|
struct _VteTerminalClassPrivate {
|
|
GtkStyleProvider *fallback_style_provider;
|
|
@@ -405,6 +437,7 @@ try
|
|
{
|
|
VteTerminal *terminal = VTE_TERMINAL(widget);
|
|
WIDGET(terminal)->get_preferred_width(minimum_width, natural_width);
|
|
+ sanitise_widget_size_request(minimum_width, natural_width);
|
|
}
|
|
catch (...)
|
|
{
|
|
@@ -419,6 +452,7 @@ try
|
|
{
|
|
VteTerminal *terminal = VTE_TERMINAL(widget);
|
|
WIDGET(terminal)->get_preferred_height(minimum_height, natural_height);
|
|
+ sanitise_widget_size_request(minimum_height, natural_height);
|
|
}
|
|
catch (...)
|
|
{
|
|
diff --git a/src/vteseq.cc b/src/vteseq.cc
|
|
index 6e7cb87..ac5c71e 100644
|
|
--- a/src/vteseq.cc
|
|
+++ b/src/vteseq.cc
|
|
@@ -211,7 +211,16 @@ void
|
|
Terminal::emit_resize_window(guint columns,
|
|
guint rows)
|
|
{
|
|
- _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window'.\n");
|
|
+ // Ignore resizes with excessive number of rows or columns,
|
|
+ // see https://gitlab.gnome.org/GNOME/vte/-/issues/2786
|
|
+ if (columns < 2 ||
|
|
+ columns > 511 ||
|
|
+ rows < 1 ||
|
|
+ rows > 511)
|
|
+ return;
|
|
+
|
|
+ _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window' %d columns %d rows.\n",
|
|
+ columns, rows);
|
|
g_signal_emit(m_terminal, signals[SIGNAL_RESIZE_WINDOW], 0, columns, rows);
|
|
}
|
|
|
|
@@ -4476,8 +4485,6 @@ Terminal::DECSLPP(vte::parser::Sequence const& seq)
|
|
else if (param < 24)
|
|
return;
|
|
|
|
- _vte_debug_print(VTE_DEBUG_EMULATION, "Resizing to %d rows.\n", param);
|
|
-
|
|
emit_resize_window(m_column_count, param);
|
|
}
|
|
|
|
@@ -8688,9 +8695,6 @@ Terminal::XTERM_WM(vte::parser::Sequence const& seq)
|
|
seq.collect(1, {&height, &width});
|
|
|
|
if (width != -1 && height != -1) {
|
|
- _vte_debug_print(VTE_DEBUG_EMULATION,
|
|
- "Resizing window to %d columns, %d rows.\n",
|
|
- width, height);
|
|
emit_resize_window(width, height);
|
|
}
|
|
break;
|
|
--
|
|
2.27.0
|
|
|