Stop parsing digits if the value already exceeds USHRT_MAX.

There is no need for us to support parsing values that are larger than
the maximum terminal window size. In this case that would be the maximum
of unsigned short.

The problem with parsing larger values is that they can cause integer
overflows when adjusting the cursor position, leading to all sorts of
failing assertions.

PR:		202326
Reported by:	kcwu csie org
MFC after:	1 month

1 files changed, 14 insertions, 9 deletions

diff --git a/sys/teken/teken.c b/sys/teken/teken.c
index 3002a88..ef50e50 100644
--- a/sys/teken/teken.c
+++ b/sys/teken/teken.c
@@ -29,12 +29,14 @@
 #include <sys/cdefs.h>
 #if defined(__FreeBSD__) && defined(_KERNEL)
 #include <sys/param.h>
+#include <sys/limits.h>
 #include <sys/lock.h>
 #include <sys/systm.h>
 #define	teken_assert(x)		MPASS(x)
 #else /* !(__FreeBSD__ && _KERNEL) */
 #include <sys/types.h>
 #include <assert.h>
+#include <limits.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <string.h>
@@ -405,18 +407,21 @@ teken_state_numbers(teken_t *t, teken_char_t c)
 	teken_assert(t->t_curnum < T_NUMSIZE);
 
 	if (c >= '0' && c <= '9') {
-		/*
-		 * Don't do math with the default value of 1 when a
-		 * custom number is inserted.
-		 */
 		if (t->t_stateflags & TS_FIRSTDIGIT) {
+			/* First digit. */
 			t->t_stateflags &= ~TS_FIRSTDIGIT;
-			t->t_nums[t->t_curnum] = 0;
-		} else {
-			t->t_nums[t->t_curnum] *= 10;
+			t->t_nums[t->t_curnum] = c - '0';
+		} else if (t->t_nums[t->t_curnum] < USHRT_MAX) {
+			/*
+			 * Screen positions are stored as unsigned
+			 * shorts. There is no need to continue parsing
+			 * input once the value exceeds USHRT_MAX. It
+			 * would only allow for integer overflows when
+			 * performing arithmetic on the cursor position.
+			 */
+			t->t_nums[t->t_curnum] =
+			    t->t_nums[t->t_curnum] * 10 + c - '0';
 		}
-
-		t->t_nums[t->t_curnum] += c - '0';
 		return (1);
 	} else if (c == ';') {
 		if (t->t_stateflags & TS_FIRSTDIGIT)