set upper limit for REP escape sequence argument

Previously, printf 'L\033[2147483647b' would call tputc('L') 2^31 times,
making st unresponsive. This commit allows repeating the last character
at most 65535 times in order to prevent freezing and DoS attacks.

diff --git a/st.c b/st.c
index 77c3e8a8d8d16e3004760a0432af437065e41fb6..683493d3aa66fc346eb0eadc1c6e8f8bdd08dac8 100644 (file)
--- a/st.c
+++ b/st.c
@@ -1643,7 +1643,7 @@ csihandle(void)
                        ttywrite(vtiden, strlen(vtiden), 0);
                break;
        case 'b': /* REP -- if last char is printable print it <n> more times */
-               DEFAULT(csiescseq.arg[0], 1);
+               LIMIT(csiescseq.arg[0], 1, 65535);
                if (term.lastc)
                        while (csiescseq.arg[0]-- > 0)
                                tputc(term.lastc);