Fix DoS caused by excessive CSI parameter values

5 files changed, 21 insertions, 19 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bce81fe1..cd4f43e6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 - Wide characters sometimes being cut off
 - Preserve vi mode across terminal `reset`
+- Escapes `CSI Ps b` and `CSI Ps Z` with large parameters locking up Alacritty
 
 ### Removed
 
diff --git a/Cargo.lock b/Cargo.lock
index 1eddd108..72997288 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2144,8 +2144,7 @@ checksum = "14e39a4f106dafb0a748b951494667a44e62b55fd7942b4fc12706d63cc535a0"
 [[package]]
 name = "utf8parse"
 version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "936e4b492acfd135421d8dca4b1aa80a7bfc26e702ef3af710e0752684df5372"
+source = "git+https://github.com/alacritty/vte#86603075dc8fdb481a0c475a740c00fb25c97771"
 
 [[package]]
 name = "vcpkg"
@@ -2188,8 +2187,7 @@ dependencies = [
 [[package]]
 name = "vte"
 version = "0.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e7745610024d50ab1ebfa41f8f8ee361c567f7ab51032f93cc1cc4cbf0c547a"
+source = "git+https://github.com/alacritty/vte#86603075dc8fdb481a0c475a740c00fb25c97771"
 dependencies = [
  "utf8parse",
  "vte_generate_state_changes",
@@ -2198,8 +2196,7 @@ dependencies = [
 [[package]]
 name = "vte_generate_state_changes"
 version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d257817081c7dffcdbab24b9e62d2def62e2ff7d00b1c20062551e6cccc145ff"
+source = "git+https://github.com/alacritty/vte#86603075dc8fdb481a0c475a740c00fb25c97771"
 dependencies = [
  "proc-macro2",
  "quote",
diff --git a/alacritty_terminal/Cargo.toml b/alacritty_terminal/Cargo.toml
index 330df913..64404e64 100644
--- a/alacritty_terminal/Cargo.toml
+++ b/alacritty_terminal/Cargo.toml
@@ -14,7 +14,7 @@ bitflags = "1"
 parking_lot = "0.11.0"
 serde = { version = "1", features = ["derive"] }
 serde_yaml = "0.8"
-vte = { version = "0.9.0", default-features = false }
+vte = { git = "https://github.com/alacritty/vte", default-features = false }
 mio = "0.6.20"
 mio-extras = "2"
 log = "0.4"
diff --git a/alacritty_terminal/src/ansi.rs b/alacritty_terminal/src/ansi.rs
index 7567eba2..4c50495c 100644
--- a/alacritty_terminal/src/ansi.rs
+++ b/alacritty_terminal/src/ansi.rs
@@ -31,9 +31,13 @@ fn parse_rgb_color(color: &[u8]) -> Option<Rgb> {
 
     // Scale values instead of filling with `0`s.
     let scale = |input: &str| {
-        let max = u32::pow(16, input.len() as u32) - 1;
-        let value = u32::from_str_radix(input, 16).ok()?;
-        Some((255 * value / max) as u8)
+        if input.len() > 4 {
+            None
+        } else {
+            let max = u32::pow(16, input.len() as u32) - 1;
+            let value = u32::from_str_radix(input, 16).ok()?;
+            Some((255 * value / max) as u8)
+        }
     };
 
     Some(Rgb { r: scale(colors[0])?, g: scale(colors[1])?, b: scale(colors[2])? })
@@ -186,7 +190,7 @@ pub trait Handler {
     fn move_up_and_cr(&mut self, _: Line) {}
 
     /// Put `count` tabs.
-    fn put_tab(&mut self, _count: i64) {}
+    fn put_tab(&mut self, _count: u16) {}
 
     /// Backspace `count` characters.
     fn backspace(&mut self) {}
@@ -236,10 +240,10 @@ pub trait Handler {
     fn delete_chars(&mut self, _: Column) {}
 
     /// Move backward `count` tabs.
-    fn move_backward_tabs(&mut self, _count: i64) {}
+    fn move_backward_tabs(&mut self, _count: u16) {}
 
     /// Move forward `count` tabs.
-    fn move_forward_tabs(&mut self, _count: i64) {}
+    fn move_forward_tabs(&mut self, _count: u16) {}
 
     /// Save current cursor position.
     fn save_cursor_position(&mut self) {}
@@ -424,7 +428,7 @@ impl Mode {
     /// Create mode from a primitive.
     ///
     /// TODO lots of unhandled values.
-    pub fn from_primitive(intermediate: Option<&u8>, num: i64) -> Option<Mode> {
+    pub fn from_primitive(intermediate: Option<&u8>, num: u16) -> Option<Mode> {
         let private = match intermediate {
             Some(b'?') => true,
             None => false,
@@ -968,7 +972,7 @@ where
         let handler = &mut self.handler;
         let writer = &mut self.writer;
 
-        let mut next_param_or = |default: i64| {
+        let mut next_param_or = |default: u16| {
             params_iter.next().map(|param| param[0]).filter(|&param| param != 0).unwrap_or(default)
         };
 
@@ -1258,7 +1262,7 @@ fn attrs_from_sgr_parameters(params: &mut ParamsIter<'_>) -> Vec<Option<Attr>> {
 }
 
 /// Parse a color specifier from list of attributes.
-fn parse_sgr_color(params: &mut dyn Iterator<Item = i64>) -> Option<Color> {
+fn parse_sgr_color(params: &mut dyn Iterator<Item = u16>) -> Option<Color> {
     match params.next() {
         Some(2) => Some(Color::Spec(Rgb {
             r: u8::try_from(params.next()?).ok()?,
diff --git a/alacritty_terminal/src/term/mod.rs b/alacritty_terminal/src/term/mod.rs
index accb4dc1..cffba149 100644
--- a/alacritty_terminal/src/term/mod.rs
+++ b/alacritty_terminal/src/term/mod.rs
@@ -1691,7 +1691,7 @@ impl<T: EventListener> Handler for Term<T> {
 
     /// Insert tab at cursor position.
     #[inline]
-    fn put_tab(&mut self, mut count: i64) {
+    fn put_tab(&mut self, mut count: u16) {
         // A tab after the last column is the same as a linebreak.
         if self.grid.cursor.input_needs_wrap {
             self.wrapline();
@@ -1883,7 +1883,7 @@ impl<T: EventListener> Handler for Term<T> {
     }
 
     #[inline]
-    fn move_backward_tabs(&mut self, count: i64) {
+    fn move_backward_tabs(&mut self, count: u16) {
         trace!("Moving backward {} tabs", count);
 
         for _ in 0..count {
@@ -1899,7 +1899,7 @@ impl<T: EventListener> Handler for Term<T> {
     }
 
     #[inline]
-    fn move_forward_tabs(&mut self, count: i64) {
+    fn move_forward_tabs(&mut self, count: u16) {
         trace!("[unimplemented] Moving forward {} tabs", count);
     }