dnkl/foot
41
2.0k
Fork
You've already forked foot
243

Heap OOB read in OSC 66 (kitty text-size protocol) with empty text #2364

Closed
opened 2026年05月24日 23:26:51 +02:00 by jackoftrade · 0 comments

Foot Version

1.27.0

TERM environment variable

foot

Compositor Name and Version

sway 1.11

Distribution

arch

Terminal multiplexer

No response

Shell, TUI, application

No response

Server/standalone mode

  • Standalone
  • Server

Foot config

default

Description of Bug and Steps to Reproduce

osc.c kitty_text_size at line 1245-1246:

uint32_t key = composed_key_from_chars(wchars, len);
const struct composed *composed = composed_lookup_without_collision(
 term->composed, &key, wchars, len - 1, wchars[len - 1], forced_width);

When the OSC 66 payload has the form w=N; with no text after the
semicolon, the parameter-only early-out at line 1196-1206 is taken
only when forced_width == 0; for w=1..7 it falls through. ambstoc32("")
returns a 4-byte allocation containing just U'0円' and c32len returns 0,
so the call above evaluates wchars[len - 1] with len - 1 = SIZE_MAX.
On 64-bit, wchars + SIZE_MAX * sizeof(char32_t) wraps and lands four
bytes before the allocation.

Reproduce:

printf '033円]66;w=1;033円\\'

AddressSanitizer:

AddressSanitizer: heap-buffer-overflow on address 0x50200000004c
READ of size 4 at 0x50200000004c thread T0
0x50200000004c is located 4 bytes before 4-byte region
SUMMARY: AddressSanitizer: heap-buffer-overflow in osc_dispatch

Fix: in kitty_text_size, treat len == 0 as the empty case and return
before computing len - 1 (or guard the lookup on len >= 1).

Relevant logs, stacktraces, etc.

No response

### Foot Version 1.27.0 ### TERM environment variable foot ### Compositor Name and Version sway 1.11 ### Distribution arch ### Terminal multiplexer _No response_ ### Shell, TUI, application _No response_ ### Server/standalone mode - [ ] Standalone - [ ] Server ### Foot config ```ini default ``` ### Description of Bug and Steps to Reproduce osc.c kitty_text_size at line 1245-1246: uint32_t key = composed_key_from_chars(wchars, len); const struct composed *composed = composed_lookup_without_collision( term->composed, &key, wchars, len - 1, wchars[len - 1], forced_width); When the OSC 66 payload has the form `w=N;` with no text after the semicolon, the parameter-only early-out at line 1196-1206 is taken only when forced_width == 0; for w=1..7 it falls through. ambstoc32("") returns a 4-byte allocation containing just U'0円' and c32len returns 0, so the call above evaluates `wchars[len - 1]` with `len - 1` = SIZE_MAX. On 64-bit, `wchars + SIZE_MAX * sizeof(char32_t)` wraps and lands four bytes before the allocation. Reproduce: printf '033円]66;w=1;033円\\' AddressSanitizer: AddressSanitizer: heap-buffer-overflow on address 0x50200000004c READ of size 4 at 0x50200000004c thread T0 0x50200000004c is located 4 bytes before 4-byte region SUMMARY: AddressSanitizer: heap-buffer-overflow in osc_dispatch Fix: in kitty_text_size, treat len == 0 as the empty case and return before computing `len - 1` (or guard the lookup on len >= 1). ### Relevant logs, stacktraces, etc. _No response_
Sign in to join this conversation.
No Branch/Tag specified
master
osc-5522
sixel-heap-buffer-overflow
releases/1.27
releases/1.26
releases/1.25
releases/1.24
multi-cursor
releases/1.23
pixman-16f-2
releases/1.22
releases/1.21
releases/1.20
releases/1.19
releases/1.18
releases/1.17
releases/1.16
releases/1.15
releases/1.14
releases/1.13
releases/1.12
releases/1.11
releases/1.10
releases/1.9
releases/1.8
releases/1.7
releases/1.6
releases/1.5
releases/1.4
releases/1.3
releases/1.2
releases/1.1
releases/1.0
1.27.0
1.26.1
1.26.0
1.25.0
1.24.0
1.23.1
1.23.0
1.22.3
1.22.2
1.22.1
1.22.0
1.21.0
1.20.2
1.20.1
1.20.0
1.19.0
1.18.1
1.18.0
1.17.2
1.17.1
1.17.0
1.16.2
1.16.1
1.16.0
1.15.3
1.15.2
1.15.1
1.15.0
1.14.0
1.13.1
1.13.0
1.12.1
1.12.0
1.11.0
1.10.3
1.10.2
1.10.1
1.10.0
1.9.2
1.9.1
1.9.0
1.8.2
1.8.1
1.8.0
1.7.2
1.7.1
1.7.0
1.6.4
1.6.3
1.6.2
1.6.1
1.6.0
1.5.4
1.5.3
1.5.2
1.5.1
1.5.0
1.4.4
1.4.3
1.4.2
1.4.1
1.4.0
1.3.0
1.2.3
1.2.2
1.2.1
1.2.0
1.1.0
1.0.0
0.9.0
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
dnkl/foot#2364
Reference in a new issue
dnkl/foot
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?