screen: CVE-2021-26937

Debian Bug report logs - #982435
screen: CVE-2021-26937

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: screen: CVE-2021-26937

Date: Wed, 10 Feb 2021 10:56:58 +0100

Source: screen
Version: 4.8.0-3
Severity: grave
Tags: security upstream
Forwarded: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for screen, filling it for
now as RC severity, feel free to downgrade if you disagree.

CVE-2021-26937[0]:
| encoding.c in GNU Screen through 4.8.0 allows remote attackers to
| cause a denial of service (invalid write access and application crash)
| or possibly have unspecified other impact via a crafted UTF-8
| character sequence.

To reproduce the issue and crash screen:

$ cat poc.base64
H4sIAD7OImACA02W61IiQQyFX10WpkdZF5QFF4TVWbkoKpcZVuQyMM/iD99DTPM1p4qiTp1O0klO
OvDp3Mf3p/gsio+4ZqB9+D4ybm+gJ8y7gesTEyffwG2EiQ3ci9fGwOLERAsDffGaGYiFiQx0JE6O
TZk4SwOZePmjW/F6MZAK4yO/ideVAani2JZ/wpwZOBMvqyIuhHkyUDkyriRHXUDJjoLXOyASY+v8
3gnTImf0igriwBzb8io5Nw2MyWcoR3PA1EBZ1EkN5GJsKhdbYTpoGm7/YeBScm7S1T1MRg8HeFWs
UumhuwDcAcJkmtyuivEf8fLzox0b0I2EozLqbC3OCuMZ/dnB1CVyDHglsu/Pi9wVUu1RYELkcORn
Yy2Rn+3S/8JcERB1Ij/zN3LXFr3GMI8GErE5N9CE2RD5r9j4V6m3twBv2Pj3VZPZ2DO0QfcbA12J
7BW8E8bvjQl9Hsilv7CZACygzacxD4CUQRqJe8MAUrowCQdQZyA98yz5FGySDu5N5jDU1ebtRHhV
AHVsJlyxgumicninGVO3wX3MZI643XdM1oVL2S1hP484eiB53425ePWR2yHTBCY8qyXTkhI5533l
yH3BFvXlhL0RhOtjc9iQJfLJ2VGMsTfe70SdMOENbPz0NkQd/4iepC5qjzsw57Qu6JWRD5XGbZIP
PRwaCAukTM6J5LxArwSmxLYJHXN0w/GIlhj/BqzYkFu8PDOVugYoWGPBZjTzDuAv/SlvOeLSUPsQ
Y0bUrQ084tU7lRORz3GBzFlxGe4t8WInxGu8qsw8izGuMhJlNm1KOSHDW+6ih+7SwFK6ERK7ZoEs
sLE4Lvw92InXPerk5DNlfixDJz8K0ZxGxSg484P6Be3RyjwMCQAA
$ base64 -d poc.base64 | gzip -d -

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-26937
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26937
[1] https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html
[2] https://www.openwall.com/lists/oss-security/2021/02/09/3
[3] https://savannah.gnu.org/bugs/?60030

Regards,
Salvatore

Message #10 received at 982435@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 982435@bugs.debian.org, team@security.debian.org

Cc: debian-lts@lists.debian.org

Subject: Re: Bug#982435: screen: CVE-2021-26937

Date: Wed, 10 Feb 2021 12:46:49 +0100

[Message part 1 (text/plain, inline)]

Control: tag -1 + confirmed
Control: found -1 4.6.2-3
Control: found -1 4.5.0-6
Control: found -1 4.2.1-3+deb8u1

Hi Salvatore,

Salvatore Bonaccorso wrote:
> The following vulnerability was published for screen,

Thanks for the heads up! Hadn't notice that upstream bug report
yesterday, but I do have it in my inbox.

https://savannah.gnu.org/bugs/?60030 got locked down in the meanwhile
as it seems.

Can you keep me in the loop wrt. to patches, e.g. by GPG-encrypted
mail?

> CVE-2021-26937[0]:
> | encoding.c in GNU Screen through 4.8.0 allows remote attackers to
> | cause a denial of service (invalid write access and application crash)
> | or possibly have unspecified other impact via a crafted UTF-8
> | character sequence.
>
> To reproduce the issue and crash screen:

Can confirm.

> https://security-tracker.debian.org/tracker/CVE-2021-26937

Can also confirm that it affects screen in Debian 10 Buster
(4.6.2-3), Debian 9 Stretch (4.5.0-6) as well.

Additionally it also affects Debian 8 Jessie ELTS (4.2.1-3+deb8u1).
Cc'ing debian-lts@lists.debian.org for that.

I though want to note that at least reading
https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html
in my mail reader (mutt) which runs inside screen, did _not_ crash my
screen session. So it seems as if mutt has unarmed it in some way.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

[signature.asc (application/pgp-signature, inline)]

Message #23 received at 982435@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: abe@debian.org

Cc: Debian Security Team <team@security.debian.org>, Debian LTS <debian-lts@lists.debian.org>, Salvatore Bonaccorso <carnil@debian.org>, 982435@bugs.debian.org

Subject: Re: Bug#982435: screen: CVE-2021-26937

Date: Wed, 10 Feb 2021 18:56:17 +0530

Hi Axel,

On Wed, Feb 10, 2021 at 5:17 PM Axel Beckert <abe@debian.org> wrote:
> Thanks for the heads up! Hadn't notice that upstream bug report
> yesterday, but I do have it in my inbox.
>
> https://savannah.gnu.org/bugs/?60030 got locked down in the meanwhile
> as it seems.
>
> Can you keep me in the loop wrt. to patches, e.g. by GPG-encrypted
> mail?

Me, too, please (though I'll keep an eye on it myself)! :)
I'll take care of fixing stretch and jessie and I am aware of all this
since I was the one who got this CVE assigned! :D


- u

Message #28 received at 982435@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: abe@debian.org

Cc: Debian Security Team <team@security.debian.org>, Debian LTS <debian-lts@lists.debian.org>, 982435@bugs.debian.org

Subject: Re: Bug#982435: screen: CVE-2021-26937

Date: Wed, 10 Feb 2021 19:01:30 +0530

On Wed, Feb 10, 2021 at 6:56 PM Utkarsh Gupta <utkarsh@debian.org> wrote:
> I'll take care of fixing stretch and jessie and I am aware of all this
> since I was the one who got this CVE assigned! :D

Oh, I forgot to mention, I say this with my LTS and ELTS hat on!^
But in case if you want to work on the package yourself, that's very
welcome too! :)

Either way, thanks for CCing and keeping everybody in the loop this way!


- u

Message #33 received at 982435@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: Screen development <screen-devel@gnu.org>, Felix Weinmann <agga-games@gmx.de>

Cc: Michael Schröder <mls@suse.de>, jwsteam@nidido.de, max.spaeth01@gmail.com, screen@uni-erlangen.de, carnil@debian.org, utkarsh@debian.org, 982435@bugs.debian.org

Subject: Re: [screen-devel] [bug #60030] Screen segfaults by displaying some UTF-8 character combination

Date: Wed, 10 Feb 2021 16:53:18 +0100

[Message part 1 (text/plain, inline)]

Hi again,

Axel Beckert wrote:
> On Wed, Feb 10, 2021 at 08:59:15AM -0500, Michael Schröder wrote:
> > diff --git a/src/encoding.c b/src/encoding.c
> > index 11c3c41..e1ea364 100644
> > --- a/src/encoding.c
> > +++ b/src/encoding.c
> > @@ -1164,7 +1164,9 @@ void utf8_handle_comb(unsigned int c, struct mchar *mc)
> >                 if (c1 >= 0xd800 && c1 < 0xe000)
> >                         comb_tofront(root, c1 - 0xd800);
> >                 i = combchars[root]->prev;
> > -               if (c1 == i + 0xd800) {
> > +               if (i == (unsigned int)root)
> > +                       i = combchars[root ^ 1]->prev;  /* steal from other
> > root */
> > +               if (i == 0x800 || i == 0x801 || c1 == i + 0xd800) {
> >                         /* completely full, can't recycle */
> >                         mc->image = '?';
> >                         mc->font = 0;
> 
> Thanks, but this seems to break the actual output.
> 
> With that patch I now get "ÿ " after every wide character in the
> output. The beginning now looks like this for me (in the hope it will
> be passed properly through mail):
> 
> 円ᆆᆿÿ 忿ᇎᆿÿ 忘ᆿᆿÿ 忿ᆾᆿÿ 応ᆿᆿÿ 忿ᆷᆿÿ 忑ᆿᆿÿ 忿ᇠᆿÿ 冺ᆿᆿÿ 忿ᇇᆿÿ 忟ᆿᆿÿ 忿ᆺᆿÿ 忳ᆿᆿÿ 忿ᅳᆿÿ 忣ᆿᆿÿ 忿ᇯᆿÿ 忇ᆿᆿÿ 忿ᇅᆿÿ

Axel Beckert wrote:
> So your bug report is already publicly visible at
> https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html
> even though it is hidden on Savannah. (This is something those with
> admin access to the screen project on Savannah might want to review.)

Well, but my own line above seems to have crashed my screen session
through mutt at least once, but I can't reproduce this anymore — and I
wrote that line in Emacs in the very same screen session before hand
(by pasting that line).

Anyway, I seem to have been able to make up a patch (against 4.8.0 as
in Debian Unstable) which avoids the crash as well as the issue I
described in my previous mail which I cited above.

I though have no idea if the patch castrates any other functionality
or if it has unwanted side effects. Any review would be nice:

--- a/encoding.c
+++ b/encoding.c
@@ -1408,21 +1408,23 @@
 	}
       /* FIXME: delete old char from all buffers */
     }
-  else if (!combchars[i])
-    {
-      combchars[i] = (struct combchar *)malloc(sizeof(struct combchar));
-      if (!combchars[i])
-	return;
-      combchars[i]->prev = i;
-      combchars[i]->next = i;
-    }
-  combchars[i]->c1 = c1;
-  combchars[i]->c2 = c;
-  mc->image = i & 0xff;
-  mc->font  = (i >> 8) + 0xd8;
-  mc->fontx = 0;
-  debug3("combinig char %x %x -> %x\n", c1, c, i + 0xd800);
-  comb_tofront(root, i);
+  else if (i < sizeof combchars / sizeof *combchars) {
+    if (!combchars[i])
+      {
+        combchars[i] = (struct combchar *)malloc(sizeof(struct combchar));
+        if (!combchars[i])
+          return;
+        combchars[i]->prev = i;
+        combchars[i]->next = i;
+      }
+    combchars[i]->c1 = c1;
+    combchars[i]->c2 = c;
+    mc->image = i & 0xff;
+    mc->font  = (i >> 8) + 0xd8;
+    mc->fontx = 0;
+    debug3("combinig char %x %x -> %x\n", c1, c, i + 0xd800);
+    comb_tofront(root, i);
+  }
 }
 
 #else /* !UTF8 */

The basic idea is to avoid an out of bounds array access at all by
first checking if "i" is bigger than the biggest index in the
combchars array.

I have no idea if the elements of the combchars array do have all the
same size. I just assume that all have the same size as the first
element.

At least that patch doesn't show that "ÿ " string after each wide
character. I though can imagine that it suppress maybe one or two
characters at the very end of the array.

I'm currently running that patch locally and will also trying to
create a patched version for the screen versions with which I run my
mail sessions to get a feeling for it in production.

P.S. to Utkarsh: That means I will prepare patches for Stretch and
Buster at least in Debian's git at
https://salsa.debian.org/debian/screen

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

[signature.asc (application/pgp-signature, inline)]

Message #38 received at 982435@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: Debian LTS <debian-lts@lists.debian.org>, Debian Security Team <team@security.debian.org>

Cc: Axel Beckert <abe@debian.org>, 982435@bugs.debian.org

Subject: Re: Bug#982435: screen: CVE-2021-26937

Date: Wed, 10 Feb 2021 21:31:42 +0530

Hello,

On Wed, Feb 10, 2021 at 6:56 PM Utkarsh Gupta <utkarsh@debian.org> wrote:
> I'll take care of fixing stretch and jessie and I am aware of all this
> since I was the one who got this CVE assigned! :D

Somewhat related, I also got CVE-2021-27135 assigned for xterm.
I'll take care of the updates when the patch is available.

But interestingly, while reproducing the issue in screen, you can also
easily reproduce this issue in xterm. See[1].

[1]: https://www.openwall.com/lists/oss-security/2021/02/09/7


- u

Message #43 received at 982435@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: Utkarsh Gupta <utkarsh@debian.org>

Cc: Debian LTS <debian-lts@lists.debian.org>, Debian Security Team <team@security.debian.org>, 982435@bugs.debian.org, Tavis Ormandy <taviso@gmail.com>

Subject: Re: Bug#982435: screen: CVE-2021-26937

Date: Wed, 10 Feb 2021 17:51:50 +0100

[Message part 1 (text/plain, inline)]

Hi,

Utkarsh Gupta wrote:
> On Wed, Feb 10, 2021 at 6:56 PM Utkarsh Gupta <utkarsh@debian.org> wrote:
> > I'll take care of fixing stretch and jessie and I am aware of all this
> > since I was the one who got this CVE assigned! :D
> 
> Somewhat related, I also got CVE-2021-27135 assigned for xterm.
> I'll take care of the updates when the patch is available.
>
> But interestingly, while reproducing the issue in screen, you can also
> easily reproduce this issue in xterm. See[1].
> 
> [1]: https://www.openwall.com/lists/oss-security/2021/02/09/7

Ick! And indeed, double clicking that line closes xterm. Ouch.

urxvt and kitty seem not affected — but also don't seem to render it
correctly either.

I btw. managed to get Taviso's crash with xterm (365-1 from Debian
Unstable) even shorter.

$ base64 -d < CVE-2021-26937.poc.minimized | gzip -d - > test
$ lynx -dump test | head -1

And the e.g. double clicking on the resulting line.

Compressed and base64 encoded:

H4sICO4NJGACA3Rlc3Qub25lbGluZQB72tb2EIT2P92//2F7H5gxA0hCRdr2gRlzkES2gxkTESLt
C0CMtl1IIu1gxnwkXbvAjM0IkdbNYMZiJF3rwYx2JJFWMGMmkjl7YGqaYeZsAzM2IemCSM1C0rUa
yOACAGPLp0/rAAAA

It though doesn't crash an unpatched screen.

Actually when Tavis mentioned Thomas, I just wanted to test where I
have most contact with Thomas: Lynx. But I found no similar issues in
Lynx. :-)

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

[signature.asc (application/pgp-signature, inline)]

Message #48 received at 982435-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 982435-close@bugs.debian.org

Subject: Bug#982435: fixed in screen 4.8.0-4

Date: Wed, 10 Feb 2021 22:04:03 +0000

Source: screen
Source-Version: 4.8.0-4
Done: Axel Beckert <abe@debian.org>

We believe that the bug you reported is fixed in the latest version of
screen, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 982435@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <abe@debian.org> (supplier of updated screen package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 10 Feb 2021 22:25:44 +0100
Source: screen
Architecture: source
Version: 4.8.0-4
Distribution: unstable
Urgency: low
Maintainer: Axel Beckert <abe@debian.org>
Changed-By: Axel Beckert <abe@debian.org>
Closes: 982435
Changes:
 screen (4.8.0-4) unstable; urgency=low
 .
   * Update URL in 52fix_screen_utf8_nfd.patch by following the redirect.
   * [CVE-2021-26937] Patch out of bounds array access to fix crash.
     (Closes: #982435; urgency=low to get more exposure for that patch.)
Checksums-Sha1:
 0e1e8096e9d6d5a0870ce1844ef63171288bcb15 2317 screen_4.8.0-4.dsc
 8490f41bfac9c05d53f4a73a2fc200e9d25da28c 48436 screen_4.8.0-4.debian.tar.xz
 965ecd2aba60c8ff77ae6fff7dc9e56a6e1a5824 6716 screen_4.8.0-4_source.buildinfo
Checksums-Sha256:
 57729a52362813e43971c217c43d5d6a87348c2b137a4f676f6a37e7e307a15f 2317 screen_4.8.0-4.dsc
 6b3092d2bbb5e16c2f10b72da96af6b28b55f3150ec3721ec34dbba8e3c83bb8 48436 screen_4.8.0-4.debian.tar.xz
 b68d71ff262fe91761fb72c6d477327b67fe485c49bd2fd24ec150096f6c930c 6716 screen_4.8.0-4_source.buildinfo
Files:
 f18251fe1a94d065b5798cf08a4948b9 2317 misc standard screen_4.8.0-4.dsc
 286810a062755b639eff7f7b59c0d0c8 48436 misc standard screen_4.8.0-4.debian.tar.xz
 c1a0a89e0c1ba09192ffb36e6cf1300d 6716 misc standard screen_4.8.0-4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERoyJeTtCmBnp12Ema+Zjx1o1yXUFAmAkU+cACgkQa+Zjx1o1
yXUN/g/+KqJ2yvYlInpZ1DUrPMsDUZjZ/EunCUER2VPf4R+Ixj962+T+I0GxKbh4
MDwIWlw9V1invZHKrd2+NJRSd6VDbCri1btZk2s01i7mOemOzlT9eke2A1QVmL6M
wHmIcxxTrAqTumeTHYGvffU/lAaqrxHHejUo/nLrRFKGGZN/yRRqyLIk7I/PZ4ht
O7nwV1KdwEw7Toor0f+14Pebpdx5uJkDkhT3fcI4iDy/dkDOLt20rLxrayLqBjME
qsqGBUohnHxQkebK+/mb2GA3y+TGC35Rt2RRKQzS9LkXqwH9lYBhK6jTdDLD7Tfz
LO0CHF71xJII9XERaOhYUF2Z5dyqO7BqC3kZhLrVYz3TcAxUfO/30vsDDAxS+Idm
cYDnpzctBZBBLt/Cz6lgTmFxLlqYeV7NAA0TrBqGCd1PbiTVRGIe2spH9v0aXmHL
1pPssRl7PdA4uXuauYkzEe9+RwbwyHD4PMcPxCIZtvHRxMvPLPUl005KB5GLn5M1
5Vn7aSL1LFN6agPQpyQM76reKjTCA/Fed4Iq1utGsD9CwMZoOrseAS67V8hVs9oX
Jgw7vgoGMKVRFiDLSvmWU7TbwW8hv8tWNbYw3B5HSePqU+VrD3XYwAMYP91gOn+Q
OuZzHd9135C9PzqMmhK3eG4w/VBKQTn/3VOJkMzPfR/srhvEn6E=
=GWha
-----END PGP SIGNATURE-----

Message #53 received at 982435@bugs.debian.org (full text, mbox, reply):

From: Tavis Ormandy <taviso@gmail.com>

To: Utkarsh Gupta <utkarsh@debian.org>, Debian LTS <debian-lts@lists.debian.org>, Debian Security Team <team@security.debian.org>, 982435@bugs.debian.org

Subject: Re: Bug#982435: screen: CVE-2021-26937

Date: Wed, 10 Feb 2021 15:04:35 -0800

On Wed, Feb 10, 2021 at 05:51:50PM +0100, Axel Beckert wrote:
> 
> It though doesn't crash an unpatched screen.
> 

Hey Axel, I tried to reply to your screen-devel post, but it's taking a
while to subscribe!

Here is the message I sent:

On 2021-02-10, Axel Beckert wrote:
> +  else if (i < sizeof combchars / sizeof *combchars) {

This doesn't seem right, I think it should be compared against the
calloc param at the top of utf8_handle_comb(), but I don't really
understand enough about unicode to know where that 0x802 comes from!

I think for sure this code doesn't handle c > 0x801, so maybe that's an
acceptable fix?

i.e.

--- encoding.c>-2020-02-05 12:09:38.000000000 -0800
+++ encoding.c>-2021-02-10 15:00:05.000000000 -0800
@@ -1357,6 +1357,9 @@
   int root, i, c1;
   int isdouble;

+  if (c > 0x801)
+    return;
+
   c1 = mc->image | (mc->font << 8) | mc->fontx << 16;
   isdouble = c1 >= 0x1100 && utf8_isdouble(c1);
   if (!combchars)


Tavis.


-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso@sdf.org
_\_V _( ) _( )  @taviso

Message #58 received at 982435@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: Screen development <screen-devel@gnu.org>, Tavis Ormandy <taviso@gmail.com>, 982435@bugs.debian.org

Cc: Utkarsh Gupta <utkarsh@debian.org>, Debian LTS <debian-lts@lists.debian.org>, Debian Security Team <team@security.debian.org>

Subject: Re: [screen-devel] [bug #60030] Screen segfaults by displaying some UTF-8 character combination

Date: Thu, 11 Feb 2021 02:46:54 +0100

[Message part 1 (text/plain, inline)]

Hi Tavis,

thanks for having a look into this!

Tavis Ormandy wrote:
> On 2021-02-10, Axel Beckert wrote:
> > +  else if (i < sizeof combchars / sizeof *combchars) {
> 
> This doesn't seem right, I think it should be compared against the
> calloc param at the top of utf8_handle_comb(),

Good point, thanks!

Your patch works fine on a first glance. No side effects like these
"ÿ " I saw with Michael's proposed patch. (But Michael's patch also
seems to care more about these 0x800 ff. values, so his and your patch
probably go into the right direction while my fix was rather generic
and perhaps too local.)

> but I don't really understand enough about unicode to know where
> that 0x802 comes from!

Will have a closer look into that direction tomorrow. But it indeed
sounds saner than my patch. And it is also much shorter and less
intrusive as it doesn't need to indent a whole block.

> I think for sure this code doesn't handle c > 0x801,

Which would mean it just can handle Unicode characters which are
represented by two bytes in UTF-8 representation. Because
that's what's special about characters around that value:

U+07FF NKO TAMAN SIGN        is 0xDF 0xBF      in UTF-8.
U+0800 SAMARITAN LETTER ALAF is 0xE0 0xA0 0x80 in UTF-8.

(according to gucharmap)

This also explains why we see c1 and c2 in the code (and what they
mean) but e.g. no c3. It suddenly all starts to make more sense, yes.

BTW, credit for the right hint goes to
https://stackoverflow.com/questions/47783583/generating-3-byte-0x800-to-0xffff-utf-8-encodings-in-java

> so maybe that's an acceptable fix?

I probably haven't looked around far enough for my patch, yes. Just
looked at where the backtrace of the crash pointed me (same if-clause
as you pointed out on oss-sec) and tried to guard that one very
generically.

P.S.: A disclaimer for those who aren't aware of it: I'm not a GNU
Screen developer. I'm just Debian's screen package maintainer trying
fix that package in time for Debian's next stable release. So I can't
break GNU Screen, just Debian's package of it. ;-)

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.