Crash when using scroll markers and system menu user commands

[perliboriussen]

When using scroll markers (the "^[[?7711h" sequence) in the prompt of the shell, mintty crashes when invoking a user command from the extended context menu (as defined with the "CtxMenuFunctions" in .minttyrc).
This happens when the last two lines in the output both contains the marker.

To reproduce, it should be sufficient to set up the shell to use scroll markers in the prompt, start a new mintty and press "return" to get a new prompt line. Then invoke a user command from the context menu. The crash is in the calculation of the "MINTTY_OUTPUT" env.var. value.

This is the stack trace for a debug build of version 3.6.1:

#0  0x0000000100425ce0 in clip_addchar (b=0x800028480, chr=0 L'\000', ca=0x0,
    tabs=false, sizehint=18446744073709551606) at termclip.c:70
#1  0x0000000100426426 in get_selection (attrs=false, start=..., end=...,
    rect=false, allinline=false, with_tabs=false) at termclip.c:198
#2  0x00000001004264ba in get_sel_str (start=..., end=..., rect=false,
    allinline=false, with_tabs=false) at termclip.c:206
#3  0x0000000100427376 in term_get_text (all=false, screen=false, command=true)
    at termclip.c:468
#4  0x00000001004274f8 in term_cmd (
    cmd=0x80012ba10 ".../cmd.sh") at termclip.c:493
#5  0x00000001004580c6 in pick_key_function (
    key_commands=0x80005c5e0 L"..."
    scancode=0) at wininput.c:2137
#6  0x0000000100458352 in user_function (
    commands=0x80005c5e0 L"...",  at wininput.c:2239
#7  0x00000001004649a8 in win_proc (wnd=0x1607c6, message=273, wp=40963, lp=0)
    at winmain.c:3545
#8  0x00007ffffe17e858 in USER32!CallWindowProcW ()
   from /c/Windows/System32/USER32.dll
#9  0x00007ffffe17e299 in USER32!DispatchMessageW ()
   from /c/Windows/System32/USER32.dll
#10 0x000000010046d307 in main (argc=1, argv=0x80004a310) at winmain.c:7037

The "sizehint" parameter indicates the problem: it calculates "start" and "end" positions for the text, but here the start position becomes greater than the end position, and the estimate for the size becomes negative. This value is then converted to an unsigned value, and becomes almost 2^64. A memory allocation for this size fails, and the resulting null pointer is used.

It looks like the calculations goes wrong in the function term_get_text() in termclip.c.
Compiling with "debug_user_cmd_clip" defined gives this output for the crash:

0:0...0:0
y 0 skip 1 marked 4
1:0...0:80

The problem is probably in lines 410-420:

      if (line->lattr & LATTR_MARKED) {
        if (y > sbtop) {
          y--;
          end = (pos){y, term.cols, 0, 0, false};
          termline * line = fetch_line(y);
          if (line->lattr & LATTR_MARKED)
            y++;
        }
        else {
          end = (pos){y, 0, 0, 0, false};
        }
      }

The "y++" will bump "start" past "end" here.

[mintty]

Thanks a lot for the detailed analysis. I have added safeguards at various places which should hopefully prevent the crash condition. I am not quite sure how to prevent start.y from becoming greater than end.y easily in the first place but its consequences are now being caught. Please take a look.

How do you actually interpret the stacktrace? I use addr2line but it does not reveal function parameters.

[mintty]

For the records, the issue was also reproducible with something like

KeyFunctions=A+F12:`pwd`

[perliboriussen]

Indeed, the fix works perfectly for me. Thank you for a speedy resolution.

The stacktrace above is produced by building mintty with DEBUG=1, and then running the resulting executable under gdb, and provoking the crash.

[mintty]

Released 3.6.2.