Fixes #729: Ignore libvterm string with length -1 #770
Conversation
libvterm sometimes gives us a string fragment with length 1073741823 [1]. When this happens, we attempt to read 1073741823 bytes, overrunning the buffer and causing a segfault. Fix the crash by adding a check for -1. Because the number is not exactly -1 (because VTermStringFragment.len is a 30-bit bit field at least in my copy of libvterm), do some C trickery to get the -1 value for comparison. [1] This -1 length might be a bug in libvterm. I did not investigate further.
|
Thank you very much! What happens when |
|
Are you asking what exactly causes frag.len to be invalid_string_fragment_len? I don't know, but the test case in #729 triggers it. Are you asking what the code does when frag.len == invalid_string_fragment_len? It'll behave as if frag.len == 0. But that's not 100% true, because the branch on 1176 won't ever be true. Maybe the code would be clearer if I wrote |
Yes, to me that would be clearer. |
libvterm sometimes gives us a string fragment with length 1073741823 [1]. When this happens, we attempt to read 1073741823 bytes, overrunning the buffer and causing a segfault.
Fix the crash by adding a check for -1. Because the number is not exactly -1 (because VTermStringFragment.len is a 30-bit bit field at least in my copy of libvterm), do some C trickery to get the -1 value for comparison.
[1] This -1 length might be a bug in libvterm. I did not investigate further.