Description: Fix for CVE-2021-27135 from xterm 366
 Correct upper-limit for selection buffer, accounting for
 combining characters (report by Tavis Ormandy).

Upstream-Status: Backport
https://sources.debian.org/data/main/x/xterm/344-1%2Bdeb10u1/debian/patches/CVE-2021-27135.diff
CVE: CVE-2021-27135
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 button.c |   29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

Index: xterm-353/button.c
===================================================================
--- xterm-353.orig/button.c
+++ xterm-353/button.c
@@ -3928,6 +3928,7 @@ SaltTextAway(XtermWidget xw,
     int i;
     int eol;
     int need = 0;
+    size_t have = 0;
     Char *line;
     Char *lp;
     CELL first = *cellc;
@@ -3962,7 +3963,11 @@ SaltTextAway(XtermWidget xw,
 
     /* UTF-8 may require more space */
     if_OPT_WIDE_CHARS(screen, {
-	need *= 4;
+	if (need > 0) {
+	    if (screen->max_combining > 0)
+		need += screen->max_combining;
+	    need *= 6;
+	}
     });
 
     /* now get some memory to save it in */
@@ -4000,10 +4005,26 @@ SaltTextAway(XtermWidget xw,
     }
     *lp = '\0';			/* make sure we have end marked */
 
-    TRACE(("Salted TEXT:%u:%s\n", (unsigned) (lp - line),
-	   visibleChars(line, (unsigned) (lp - line))));
+    have = (size_t) (lp - line);
+    /*
+     * Scanning the buffer twice is unnecessary.  Discard unwanted memory if
+     * the estimate is too-far off.
+     */
+    if ((have * 2) < (size_t) need) {
+	Char *next;
+	scp->data_limit = have + 1;
+	next = realloc(line, scp->data_limit);
+	if (next == NULL) {
+	    free(line);
+	    scp->data_length = 0;
+	    scp->data_limit = 0;
+	}
+	scp->data_buffer = next;
+    }
+    scp->data_length = have;
 
-    scp->data_length = (size_t) (lp - line);
+    TRACE(("Salted TEXT:%u:%s\n", (unsigned) have,
+	   visibleChars(scp->data_buffer, (unsigned) have)));
 }
 
 #if OPT_PASTE64