Forum: d0p3 BBS

src/conio/cterm.c

From Deucе@1:103/705 to Git commit to main/sbbs/master on Sun Mar 15 16:01:53 2026

https://gitlab.synchro.net/main/sbbs/-/commit/562ed4bd1dde9067de65da78
Modified Files:
src/conio/cterm.c
Log Message:
Fix ATASCII cursor movement wrap behavior and backspace

Cursor movement (up/down/left/right) wraps to the opposite edge of the
same row or column, matching real Atari hardware behavior. Backspace
does not wrap — it sticks at the left margin.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Sun Mar 15 20:35:47 2026

https://gitlab.synchro.net/main/sbbs/-/commit/d0be28bdfbb1b0c26ce8a723
Modified Files:
src/conio/cterm.c
Log Message:
Clamp SU/SD scroll count to scroll region height

CSI Ps S (Scroll Up) and CSI Ps T (Scroll Down) looped param_int[0]
times calling cterm_scrollup()/scrolldown() individually. With a huge
parameter (e.g. ESC[65536T), this performed tens of thousands of
movetext + clear operations, hanging the terminal for seconds — a low-bandwidth DoS from a 9-byte sequence.

Clamp the count to TERM_MAXY (the scroll region height). Scrolling
more lines than the region contains is equivalent to clearing it.
This matches how IL, DL, ICH, and DCH all clamp their counts already.

Found by ANSI fuzz testing (termtest.js).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Sun Mar 15 20:35:47 2026

https://gitlab.synchro.net/main/sbbs/-/commit/1105669b6db24c1bc1f73351
Modified Files:
src/conio/cterm.c
Log Message:
Fix integer overflow in dellines() clamp check

The check (sy + lines - 1) > maxy overflows when lines is near
INT_MAX (e.g. ESC[2147483647M), wrapping to negative and bypassing
the clamp. The unclamped value then causes the clear loop at line 1075
to iterate ~2 billion times (TERM_MAXY - lines + 1 goes hugely
negative, looping up to TERM_MAXY).

Rearrange to lines > maxy - sy + 1, which cannot overflow since
maxy >= sy is guaranteed by the prior bounds check.

Found by ANSI fuzz testing (termtest.js).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Sun Mar 15 20:35:47 2026

https://gitlab.synchro.net/main/sbbs/-/commit/5f54bde4ef38428075e84e60
Modified Files:
src/conio/cterm.c
Log Message:
Clamp CHT/CVT/CBT tab count to width * height

CSI Ps I (Cursor Forward Tabulation), CSI Ps Y (Cursor Line
Tabulation), and CSI Ps Z (Cursor Backward Tabulation) looped
param_int[0] times calling do_tab()/do_backtab(). With a huge
parameter, CHT/CVT would perform billions of tab-then-scroll-up
cycles (do_tab wraps and scrolls at the bottom margin), while CBT
would perform billions of gotoxy() calls.

Clamp the count to width * height. This preserves the legitimate
behavior of tabbing across line boundaries with scrolling, while
preventing a DoS from huge parameters. Any count beyond width * height
just scrolls blank lines off the top repeatedly.

Found by ANSI fuzz testing (termtest.js).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Sun Mar 15 22:51:38 2026

https://gitlab.synchro.net/main/sbbs/-/commit/1ca9c740a257a2eb93f86bf9
Modified Files:
src/conio/cterm.c
Log Message:
Fix uint64-to-int truncation and wrong variable in CSI parameter clamps

Six fixes for CSI sequence handlers where seq->param_int[] (uint64_t)
values could bypass bounds clamps:

ICH '@' (Insert Character): The clamp compared against cterm->width - j
where j is the Y/row coordinate — should be the X/column coordinate.
Replaced with TERM_MAXX - i + 1 (where i is the column), matching the
pattern DCH already uses. Without this fix, in tall narrow terminals
where row > width, the subtraction underflows to a huge uint64_t,
bypassing the clamp entirely and passing garbage to movetext().

IL 'L' (Insert Line): Added if(i < 1) break after i = seq->param_int[0].
The uint64-to-int assignment can produce negative values (e.g. param
0x80000000 becomes INT_MIN) that pass the i > TERM_MAXY - row check,
then cause integer overflow in movetext(... max_row - i ...).

DCH 'P' (Delete Character): Same truncation issue. Negative i bypasses
i > TERM_MAXX - col + 1, then overflows movetext(col2 + i, ...) and cterm_gotoxy(TERM_MAXX - i, ...).

ECH 'X' (Erase Character): Negative i bypasses i > CURR_MAXX - col,
then malloc(negative * sizeof) promotes to a huge size_t allocation
that returns NULL, leading to a NULL dereference in vmem_puttext().

Shift Left ' @' and Shift Right ' A': Same truncation pattern. Negative
i bypasses the i > TERM_MAXX / i > cterm->width clamps, producing bad movetext() coordinates.

All found via ANSI fuzz testing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Tue Mar 17 22:53:09 2026

https://gitlab.synchro.net/main/sbbs/-/commit/730a519045111adc5b4db23f
Modified Files:
src/conio/cterm.c
Log Message:
Add missing #include <stdarg.h> in cterm.c

cterm_respond_printf() uses va_list/va_start/va_end which require
stdarg.h. Builds on FreeBSD pulled it in transitively but OpenBSD
CI caught the missing include.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Wed Mar 18 21:52:28 2026

https://gitlab.synchro.net/main/sbbs/-/commit/13db692a7140a52beaae7244
Modified Files:
src/conio/cterm.c
Log Message:
New commands, new CVS revision.
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Sat Mar 21 11:00:00 2026

https://gitlab.synchro.net/main/sbbs/-/commit/aa2749d1664734bcdd6932a1
Modified Files:
src/conio/cterm.c
Log Message:
Derp. Fix last commit
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Tue Mar 31 11:13:12 2026

https://gitlab.synchro.net/main/sbbs/-/commit/da1f2e19a4e86caca94ac62c
Modified Files:
src/conio/cterm.c
Log Message:
Fix DECRQSS handling.

When an "invalid" sequence or setting is selected, it should not
be echoed back.

Also, many classes of invalid were not getting any response.
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Thu Apr 2 19:30:13 2026

https://gitlab.synchro.net/main/sbbs/-/commit/00ef32f63c2f496e6c37ec21
Modified Files:
src/conio/cterm.c
Log Message:
Fix various Sixel related vulnerabilities.

All found by JQuast and graciously reported via IRC.
Thanks!
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

From Deucе@1:103/705 to Git commit to main/sbbs/master on Thu Apr 2 19:35:08 2026

https://gitlab.synchro.net/main/sbbs/-/commit/563a58c479b8d2979aeeea01
Modified Files:
src/conio/cterm.c
Log Message:
Fix stack overflow parsing DECRQSS

Reported by JQuast over IRC.
Thanks!
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Who's Online
Recent Visitors
- The God Farther
  Mon Mar 9 13:05:07 2026
  from Lake Ozark, Missouri. via Telnet
- sovigir
  Wed Mar 18 04:30:45 2026
  from boston via HTTP
- RufusT
  Mon Mar 23 09:29:19 2026
  from Dallas, TX via RLogin
- Guest
  Mon Mar 23 06:50:53 2026
  from Dallas, Tx via Telnet

System Info

Sysop:	Tetrazocine
Location:	Melbourne, VIC, Australia
Users:	14
Nodes:	8 (0 / 8)
Uptime:	147:04:24
Calls:	210
Files:	21,502
Messages:	81,283

src/conio/cterm.c

Who's Online

Recent Visitors

System Info