commit 95f22c53059ccd60ee701ccf2659dacd95e4e89a
from: Tommi Hirvola <tommi@hirvola.fi>
via: Hiltjo Posthuma <hiltjo@codemadness.org>
date: Mon Mar  4 22:50:58 2024 UTC

set upper limit for REP escape sequence argument

Previously, printf 'L\033[2147483647b' would call tputc('L') 2^31 times,
making st unresponsive. This commit allows repeating the last character
at most 65535 times in order to prevent freezing and DoS attacks.

commit - 7473a8d1a57e5f9aba41b953f4e498c35e1c9dc5
commit + 95f22c53059ccd60ee701ccf2659dacd95e4e89a
blob - 77c3e8a8d8d16e3004760a0432af437065e41fb6
blob + 683493d3aa66fc346eb0eadc1c6e8f8bdd08dac8
--- st.c
+++ st.c
@@ -1643,7 +1643,7 @@ csihandle(void)
 			ttywrite(vtiden, strlen(vtiden), 0);
 		break;
 	case 'b': /* REP -- if last char is printable print it <n> more times */
-		DEFAULT(csiescseq.arg[0], 1);
+		LIMIT(csiescseq.arg[0], 1, 65535);
 		if (term.lastc)
 			while (csiescseq.arg[0]-- > 0)
 				tputc(term.lastc);