REP escape sequence with a large repeat count will hang conhost #5160
Comments
ghost
added
Needs-Triage
zadjii-msft
added
Area-VT
|
Capping parameters in general to 16-bit integers is possibly not a future-proof idea. Capping this specific case most certainly is, in contrast. If automatic right margin (DEC Private Mode 7) is off, it makes no sense to ever repeat more than 1 lineful of characters. If automatic right margin is on, it makes no sense to ever repeat more than 1 screenful + maximum scrollback size of characters. Repeating more would have no visibly different effect. |
If not 16 bits then what? 32? 64? 128? Infinite? You've got to pick a limit somewhere, and 16 bits meets the need of every existing escape sequence, and keeps us compatible with other mainstream terminal emulators. There are no immediate benefits to having a higher cap, but there are several negative consequences. Introducing unnecessary problems in the code just so we can prepare for some imaginary future event that may never occur seems extremely counterproductive. |
## Summary of the Pull Request This PR clamps the parameter values in the VT `StateMachine` parser to 32767, which was the initial limit prior to PR #3956. This fixes a number of overflow bugs (some of which could cause the app to crash), since much of the code is not prepared to handle values outside the range of a `short`. ## References #3956 - the PR where the cap was changed to the range of `size_t` #4254 - one example of a crash caused by the higher range ## PR Checklist * [x] Closes #5160 * [x] CLA signed. If not, go over [here](https://cla.opensource.microsoft.com/microsoft/Terminal) and sign the CLA * [x] Tests added/passed * [ ] Requires documentation to be updated * [ ] I've discussed this with core contributors already. If not checked, I'm ready to accept this work might be rejected in favor of a different grand plan. Issue number where discussion took place: #xxx ## Detailed Description of the Pull Request / Additional comments The DEC STD 070 reference recommends supporting up to at least 16384 for parameter values, so 32767 should be more than enough for any standard VT sequence. It might be nice to increase the limit to 65535 at some point, since that is the cap used by both XTerm and VTE. However, that is not essential, since there are very few situations where you'd even notice the difference. For now, 32767 is the safest choice for us, since anything greater than that has the potential to overflow and crash the app in a number of places. ## Validation Steps Performed I had to make a couple of modifications to the range checks in the `OutputEngineTest`, more or less reverting to the pre-#3956 behavior, but after that all of the unit tests passed as expected. I manually confirmed that this fixes the hanging test case from #5160, as well as overflow issues in the cursor operations, and crashes in `IL` and `DL` (see #4254 (comment)).
ghost
added
the
Resolution-Fix-Committed
|
🎉This issue was addressed in #5200, which has now been successfully released as Handy links: |
|
The limit that you had in that code wasn't that problematic. A limit of 32767 on the length of that string is not sensible, for the reasons that I mentioned, and sensible code would thus have to employ a lower limit, specific to REP, anyway. In which case, the overall limit on parameter decoding need not be the same as the REP-specific limit. Conversely, a limit of 32767 on everything is not future-proof. One day, someone will come along with a control sequence that has a parameter value greater than that. Perhaps it will be an encoded 24-bit or 32-bit RGB value. Perhaps it will be a 21-bit Unicode code point. Perhaps it will be something that merely needs 16 bits instead of 15, as at least one control sequence already does. Moreover, no this is not compatible with others, given that you've chosen a number different to them. It is 2020. Surely we have learned by now not to put signed 16-bit limits into things, and not to be foolishly dismissive of the idea that 15 bits might not be enough? There's a huge body of past experience to learn from in that regard, quite a lot of it in Microsoft softwares. (The fact that it wasn't enough in the old console implementation, necessitating this one and bringing all of the current pain engendered by the old UCS-2 interfaces, seems particularly ironic here. Yes, people said exactly what you just said about 16 bits sufficing for Unicode in the future, too, and it wasn't the case.) Your REP limit should be sensible, and much lower; and your general parameter decoding limit should be distinct from that, future-proof, and higher. |
|
I'm just happy that the clamping is happening in a single place and it'll give us the time to audit anything in the console host that isn't |
Environment
Windows build number: Version 10.0.18362.657
Windows Terminal version (if applicable): Commit 28d108b
Steps to reproduce
printf "*\e[9999999999b"Expected behavior
Technically we're asking the terminal to repeat the
*character 10 billion times, but most terminals clamp their parameter values at a reasonable size. So I'd expect to see the*repeated several thousand times, but not billions.For reference, the DEC specifications recommend a minimum of 16384, and both XTerm and VTE clamp parameters at 65535. Until recently I think we used to clamp them to 32767.
Actual behavior
The terminal hangs while eating up gigabytes of memory.
My recommendation would be to fix this in the state machine, because that potentially fixes or simplifies a bunch of other overflow problems too. See here:
terminal/src/terminal/parser/stateMachine.cpp
Lines 1429 to 1434 in 7b9c8c7
Worst case, though, we could fix this specific problem in the
REPimplementation here:terminal/src/terminal/parser/OutputStateMachineEngine.cpp
Lines 527 to 528 in 7b9c8c7
The text was updated successfully, but these errors were encountered: