[Spice-commits] 2 commits - VERSION console.c
Gerd Hoffmann
kraxel at kemper.freedesktop.org
Wed Sep 5 22:40:08 PDT 2012
VERSION | 2 +-
console.c | 57 ++++++++++++++++++++++++++++-----------------------------
2 files changed, 29 insertions(+), 30 deletions(-)
New commits:
commit 8db972cfa469b4e4afd9c65e54e796b83b5ce3a2
Author: Anthony Liguori <aliguori at us.ibm.com>
Date: Wed Sep 5 07:50:01 2012 -0500
Update version for 1.2.0
Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
diff --git a/VERSION b/VERSION
index 9a03ea6..26aaba0 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.1.93
+1.2.0
commit 3eea5498ca501922520b3447ba94815bfc109743
Author: Ian Campbell <ian.campbell at citrix.com>
Date: Tue Sep 4 10:26:09 2012 -0500
console: bounds check whenever changing the cursor due to an escape code
This is XSA-17 / CVE-2012-3515
Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
diff --git a/console.c b/console.c
index f5e8814..3b5cabb 100644
--- a/console.c
+++ b/console.c
@@ -850,6 +850,26 @@ static void console_clear_xy(TextConsole *s, int x, int y)
update_xy(s, x, y);
}
+/* set cursor, checking bounds */
+static void set_cursor(TextConsole *s, int x, int y)
+{
+ if (x < 0) {
+ x = 0;
+ }
+ if (y < 0) {
+ y = 0;
+ }
+ if (y >= s->height) {
+ y = s->height - 1;
+ }
+ if (x >= s->width) {
+ x = s->width - 1;
+ }
+
+ s->x = x;
+ s->y = y;
+}
+
static void console_putchar(TextConsole *s, int ch)
{
TextCell *c;
@@ -921,7 +941,8 @@ static void console_putchar(TextConsole *s, int ch)
s->esc_params[s->nb_esc_params] * 10 + ch - '0';
}
} else {
- s->nb_esc_params++;
+ if (s->nb_esc_params < MAX_ESC_PARAMS)
+ s->nb_esc_params++;
if (ch == ';')
break;
#ifdef DEBUG_CONSOLE
@@ -935,59 +956,37 @@ static void console_putchar(TextConsole *s, int ch)
if (s->esc_params[0] == 0) {
s->esc_params[0] = 1;
}
- s->y -= s->esc_params[0];
- if (s->y < 0) {
- s->y = 0;
- }
+ set_cursor(s, s->x, s->y - s->esc_params[0]);
break;
case 'B':
/* move cursor down */
if (s->esc_params[0] == 0) {
s->esc_params[0] = 1;
}
- s->y += s->esc_params[0];
- if (s->y >= s->height) {
- s->y = s->height - 1;
- }
+ set_cursor(s, s->x, s->y + s->esc_params[0]);
break;
case 'C':
/* move cursor right */
if (s->esc_params[0] == 0) {
s->esc_params[0] = 1;
}
- s->x += s->esc_params[0];
- if (s->x >= s->width) {
- s->x = s->width - 1;
- }
+ set_cursor(s, s->x + s->esc_params[0], s->y);
break;
case 'D':
/* move cursor left */
if (s->esc_params[0] == 0) {
s->esc_params[0] = 1;
}
- s->x -= s->esc_params[0];
- if (s->x < 0) {
- s->x = 0;
- }
+ set_cursor(s, s->x - s->esc_params[0], s->y);
break;
case 'G':
/* move cursor to column */
- s->x = s->esc_params[0] - 1;
- if (s->x < 0) {
- s->x = 0;
- }
+ set_cursor(s, s->esc_params[0] - 1, s->y);
break;
case 'f':
case 'H':
/* move cursor to row, column */
- s->x = s->esc_params[1] - 1;
- if (s->x < 0) {
- s->x = 0;
- }
- s->y = s->esc_params[0] - 1;
- if (s->y < 0) {
- s->y = 0;
- }
+ set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1);
break;
case 'J':
switch (s->esc_params[0]) {
More information about the Spice-commits
mailing list