input: ensure that no more bytes are consumed than are available

The value of 'consumed' may not exceed the given 'length'. Bug existed since version 2.9.3, commit e739448c. (Bug was found by studying Fedora crash reports. Thank you, Fedora!)
2021-12-12 15:43:15 +01:00 · 2021-12-12 15:43:15 +01:00 · fae5f823e1
commit fae5f823e1
parent bdf8e41a72
1 changed files with 2 additions and 1 deletions
--- a/src/winio.c
+++ b/src/winio.c
@ -507,8 +507,9 @@ int convert_SS3_sequence(const int *seq, size_t length, int *consumed)
 /* Translate a sequence that began with "Esc [" to its corresponding key code. */
 int convert_CSI_sequence(const int *seq, size_t length, int *consumed)
 {
-	if (seq[0] < '9')
+	if (seq[0] < '9' && length > 1)
 		*consumed = 2;
+
 	switch (seq[0]) {
 		case '1':
 			if (length > 1 && seq[1] == '~')