sixel: prevent allocating an absurd amount of memory or writing OOB#20213
Merged
Conversation
This commit implements two fixes for the integer overflow/out-of-bounds write reported in #20149. First, it catches any exception generated in sixel char processing (which will prevent `out_of_memory` or `bad_alloc` from being ignored sight-unseen, and will prevent the consumption of further DCS content). Second, it prevents us from allocating memory for an image which will never be displayed (because it exceeds the height of the display.) This supersedes prior work in #20153 for the same issues. Closes #20149 Closes #20153 Co-authored-by: James Holderness <j4_james@hotmail.com>
Member
Author
|
My only concern is:
|
DHowett
commented
May 11, 2026
| _parameters.clear(); | ||
| return [&](const auto ch) { | ||
| _parseCommandChar(ch); | ||
| try |
Member
Author
There was a problem hiding this comment.
I cannot quantify the cost of an exception handler here.
Collaborator
There was a problem hiding this comment.
I'm personally not too concerned about the performance, and if we get Leonard's DCS batch processing merged at some point, I expect that would mitigate the performance impact (assuming there is any).
DHowett
commented
May 11, 2026
| _availablePixelHeight -= _sixelHeight; | ||
| _resizeImageBuffer(_sixelHeight); | ||
| _fillImageBackgroundWhenScrolled(); | ||
| // If we don't have any available pixel height, that means the image has |
Member
Author
There was a problem hiding this comment.
(this is getting a Co-authored-by; github is just suppressing it in the PR review window)
lhecker
approved these changes
May 12, 2026
DHowett
added a commit
that referenced
this pull request
May 12, 2026
…20213) This commit implements two fixes for the integer overflow/out-of-bounds write reported in #20149. First, it catches any exception generated in sixel char processing (which will prevent `out_of_memory` or `bad_alloc` from being ignored sight-unseen, and will prevent the consumption of further DCS content). Second, it prevents us from allocating memory for an image which will never be displayed (because it exceeds the height of the display.) This supersedes prior work in #20153 for the same issues. Closes #20149 Closes #20153 Co-authored-by: James Holderness <j4_james@hotmail.com> (cherry picked from commit c829d4c) Service-Card-Id: PVTI_lADOAF3p4s4BBcTlzgrY_zM Service-Version: 1.24
DHowett
added a commit
that referenced
this pull request
May 12, 2026
…20213) This commit implements two fixes for the integer overflow/out-of-bounds write reported in #20149. First, it catches any exception generated in sixel char processing (which will prevent `out_of_memory` or `bad_alloc` from being ignored sight-unseen, and will prevent the consumption of further DCS content). Second, it prevents us from allocating memory for an image which will never be displayed (because it exceeds the height of the display.) This supersedes prior work in #20153 for the same issues. Closes #20149 Closes #20153 Co-authored-by: James Holderness <j4_james@hotmail.com> (cherry picked from commit c829d4c) Service-Card-Id: PVTI_lADOAF3p4s4BQX0-zgrY_zQ Service-Version: 1.25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit implements two fixes for the integer overflow/out-of-bounds write reported in #20149.
First, it catches any exception generated in sixel char processing (which will prevent
out_of_memoryorbad_allocfrom being ignored sight-unseen, and will prevent the consumption of further DCS content).Second, it prevents us from allocating memory for an image which will never be displayed (because it exceeds the height of the display.)
This supersedes prior work in #20153 for the same issues.
Closes #20149
Closes #20153