st
st copied to clipboard
LukeSmithxyz
Composed input handling bug. Undefined behavior. Random action/command execution.
Behavior
When using a system with defined XCompose bindings that exceed the length of 64 characters, if such binding is ever used in ST, a bunch of random keypresses (65 or more) will be sent to the application now in use (or the shell itself). Such keypresses may be completely harmful, or may at times request text to be deleted, command to be run, application to be closed, etc.
Bug description
In file x.c, in the function kpress, located at the line 2017, when the data that was input is requested with the XmbLookupString function, a buffer of static size is used. This function however does not return the amount of data that it has
written, but instead returns the amount of data that is currently available, not writing anything at all to the buffer if it is too small
to fit all of it. Later on, when this buffer is sent to the stdin of the application that is currently running, that length is not checked
and even if it is longer than the actuall buffer size, and the buffer is not even initialized, therefore contains more or less random
data; all of this random data and data that follows it (up until the length of the available data is hit) is sent directly to the application.
The data that is sent can vary greatly between restarts of ST, different bindings being used, or even just the time that they were used
at, creating a danger of user unknowingly running a random command that they have no idea about, or causing damage to their
data.
Fix
The fix is pretty simple, I have created and tested it and will link the pullrequest shortly after submitting the issue.
