patch 9.0.1916: Crash when allocating large terminal screenv9.0.1916

Problem:  Crash when allocating large terminal screen
Solution: Don't allow values > 1000 for terminal
          screen columns and rows

closes: #13126

Signed-off-by: Christian Brabandt <cb@256bit.org>

5 files changed, 40 insertions, 1 deletions

diff --git a/runtime/doc/visual.txt b/runtime/doc/visual.txt
index 616e773fe3..a91969e41e 100644
--- a/runtime/doc/visual.txt
+++ b/runtime/doc/visual.txt
@@ -183,7 +183,7 @@ If you want to highlight exactly the same area as the last time, you can use
 CTRL-C			In Visual mode: Stop Visual mode.  When insert mode is
 			pending (the mode message shows
 			"-- (insert) VISUAL --"), it is also stopped.
-			On MS-Windows, you may need to press CTRL-Break 
+			On MS-Windows, you may need to press CTRL-Break
 			|dos-CTRL-Break|.
 
 ==============================================================================
diff --git a/src/libvterm/src/screen.c b/src/libvterm/src/screen.c
index 53564be16b..7b3322b639 100644
--- a/src/libvterm/src/screen.c
+++ b/src/libvterm/src/screen.c
@@ -776,9 +776,15 @@ static int resize(int new_rows, int new_cols, VTermStateFields *fields, void *us
     if(screen->sb_buffer)
       vterm_allocator_free(screen->vt, screen->sb_buffer);
 
+    if (new_cols > 1000)
+      new_cols = 1000;
+
     screen->sb_buffer = vterm_allocator_malloc(screen->vt, sizeof(VTermScreenCell) * new_cols);
   }
 
+  if (new_rows > 1000)
+    new_rows = 1000;
+
   resize_buffer(screen, 0, new_rows, new_cols, !altscreen_active, fields);
   if(screen->buffers[BUFIDX_ALTSCREEN])
     resize_buffer(screen, 1, new_rows, new_cols, altscreen_active, fields);
diff --git a/src/terminal.c b/src/terminal.c
index cb889ae19a..991f05652b 100644
--- a/src/terminal.c
+++ b/src/terminal.c
@@ -272,6 +272,10 @@ parse_termwinsize(win_T *wp, int *rows, int *cols)
     }
     *rows = atoi((char *)wp->w_p_tws);
     *cols = atoi((char *)p + 1);
+    if (*rows > 1000)
+	*rows = 1000;
+    if (*cols > 1000)
+	*cols = 1000;
     return minsize;
 }
 
diff --git a/src/testdir/test_terminal2.vim b/src/testdir/test_terminal2.vim
index 8615bf55ad..6ce531ed45 100644
--- a/src/testdir/test_terminal2.vim
+++ b/src/testdir/test_terminal2.vim
@@ -64,6 +64,14 @@ func Test_terminal_termwinsize_option_zero()
   call StopShellInTerminal(buf)
   exe buf . 'bwipe'
 
+  " This used to crash Vim
+  set termwinsize=10000*10000
+  let buf = Run_shell_in_terminal({})
+  let win = bufwinid(buf)
+  call assert_equal([1000, 1000], term_getsize(buf))
+  call StopShellInTerminal(buf)
+  exe buf . 'bwipe'
+
   set termwinsize=
 endfunc
 
@@ -271,6 +279,25 @@ func Test_terminal_resize()
   set statusline&
 endfunc
 
+func Test_terminal_resize2()
+  CheckNotMSWindows
+  set statusline=x
+  terminal
+  call assert_equal(2, winnr('$'))
+  let buf = bufnr()
+
+  " Wait for the shell to display a prompt
+  call WaitForAssert({-> assert_notequal('', term_getline(buf, 1))})
+
+  " This used to crash Vim
+  call feedkeys("printf '\033[8;99999;99999t'\<CR>", 'xt')
+  redraw
+
+  call feedkeys("exit\<CR>", 'xt')
+  call TermWait(buf)
+  set statusline&
+endfunc
+
 " must be nearly the last, we can't go back from GUI to terminal
 func Test_zz1_terminal_in_gui()
   CheckCanRunGui
diff --git a/src/version.c b/src/version.c
index 03cb97fd05..110a840397 100644
--- a/src/version.c
+++ b/src/version.c
@@ -700,6 +700,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    1916,
+/**/
     1915,
 /**/
     1914,