starred/terminal
1
0
Fork 0
mirror of https://github.com/microsoft/terminal.git synced 2026-02-04 05:35:20 +00:00
Code Issues 19.0k Packages Projects Releases 20 Wiki Activity

REP escape sequence with a large repeat count will hang conhost #7190

New Issue
Closed
opened 2026-01-31 00:57:25 +00:00 by claunia · 5 comments
claunia commented 2026-01-31 00:57:25 +00:00
Owner
Copy Link

Originally created by @j4james on GitHub (Mar 28, 2020).

Environment

Windows build number: Version 10.0.18362.657
Windows Terminal version (if applicable): Commit 28d108bf32

Steps to reproduce

  1. Build the OpenConsole solution from a recent commit
  2. Open a bash shell in conhost
  3. Run the command: printf "*\e[9999999999b"

Expected behavior

Technically we're asking the terminal to repeat the * character 10 billion times, but most terminals clamp their parameter values at a reasonable size. So I'd expect to see the * repeated several thousand times, but not billions.

For reference, the DEC specifications recommend a minimum of 16384, and both XTerm and VTE clamp parameters at 65535. Until recently I think we used to clamp them to 32767.

Actual behavior

The terminal hangs while eating up gigabytes of memory.

My recommendation would be to fix this in the state machine, because that potentially fixes or simplifies a bunch of other overflow problems too. See here:

7b9c8c7055/src/terminal/parser/stateMachine.cpp (L1429-L1434)

Worst case, though, we could fix this specific problem in the REP implementation here:

7b9c8c7055/src/terminal/parser/OutputStateMachineEngine.cpp (L527-L528)

Originally created by @j4james on GitHub (Mar 28, 2020). # Environment Windows build number: Version 10.0.18362.657 Windows Terminal version (if applicable): Commit 28d108bf32de4dce061d80a2bd160cd617c7e698 # Steps to reproduce 1. Build the OpenConsole solution from a recent commit 2. Open a bash shell in conhost 3. Run the command: `printf "*\e[9999999999b"` # Expected behavior Technically we're asking the terminal to repeat the `*` character 10 billion times, but most terminals clamp their parameter values at a reasonable size. So I'd expect to see the `*` repeated several thousand times, but not billions. For reference, the DEC specifications recommend a minimum of 16384, and both XTerm and VTE clamp parameters at 65535. Until recently I think we used to clamp them to 32767. # Actual behavior The terminal hangs while eating up gigabytes of memory. My recommendation would be to fix this in the state machine, because that potentially fixes or simplifies a bunch of other overflow problems too. See here: https://github.com/microsoft/terminal/blob/7b9c8c7055419b994f39092e46156d793c2c5b75/src/terminal/parser/stateMachine.cpp#L1429-L1434 Worst case, though, we could fix this specific problem in the `REP` implementation here: https://github.com/microsoft/terminal/blob/7b9c8c7055419b994f39092e46156d793c2c5b75/src/terminal/parser/OutputStateMachineEngine.cpp#L527-L528
claunia commented 2026-01-31 00:57:26 +00:00
Author
Owner
Copy Link

@jdebp commented on GitHub (Mar 29, 2020):

Capping parameters in general to 16-bit integers is possibly not a future-proof idea.

Capping this specific case most certainly is, in contrast. If automatic right margin (DEC Private Mode 7) is off, it makes no sense to ever repeat more than 1 lineful of characters. If automatic right margin is on, it makes no sense to ever repeat more than 1 screenful + maximum scrollback size of characters. Repeating more would have no visibly different effect.

@jdebp commented on GitHub (Mar 29, 2020): Capping parameters in general to 16-bit integers is possibly not a future-proof idea. Capping this specific case most certainly is, in contrast. If automatic right margin (DEC Private Mode 7) is off, it makes no sense to ever repeat more than 1 lineful of characters. If automatic right margin is on, it makes no sense to ever repeat more than 1 screenful + maximum scrollback size of characters. Repeating more would have no visibly different effect.
claunia commented 2026-01-31 00:57:26 +00:00
Author
Owner
Copy Link

@j4james commented on GitHub (Mar 29, 2020):

Capping parameters in general to 16-bit integers is possibly not a future-proof idea.

If not 16 bits then what? 32? 64? 128? Infinite? You've got to pick a limit somewhere, and 16 bits meets the need of every existing escape sequence, and keeps us compatible with other mainstream terminal emulators. There are no immediate benefits to having a higher cap, but there are several negative consequences. Introducing unnecessary problems in the code just so we can prepare for some imaginary future event that may never occur seems extremely counterproductive.

@j4james commented on GitHub (Mar 29, 2020): > Capping parameters in general to 16-bit integers is possibly not a future-proof idea. If not 16 bits then what? 32? 64? 128? Infinite? You've got to pick a limit somewhere, and 16 bits meets the need of every existing escape sequence, and keeps us compatible with other mainstream terminal emulators. There are no immediate benefits to having a higher cap, but there are several negative consequences. Introducing unnecessary problems in the code just so we can prepare for some imaginary future event that may never occur seems extremely counterproductive.
claunia commented 2026-01-31 00:57:27 +00:00
Author
Owner
Copy Link

@ghost commented on GitHub (Apr 22, 2020):

:tada:This issue was addressed in #5200, which has now been successfully released as Windows Terminal Preview v0.11.1121.0.🎉

Handy links:

@ghost commented on GitHub (Apr 22, 2020): :tada:This issue was addressed in #5200, which has now been successfully released as `Windows Terminal Preview v0.11.1121.0`.:tada: Handy links: * [Release Notes](https://github.com/microsoft/terminal/releases/tag/v0.11.1121.0) * [Store Download](https://www.microsoft.com/store/apps/9n0dx20hk701?cid=storebadge&ocid=badge)
claunia commented 2026-01-31 00:57:27 +00:00
Author
Owner
Copy Link

@jdebp commented on GitHub (Apr 28, 2020):

The limit that you had in that code wasn't that problematic. A limit of 32767 on the length of that string is not sensible, for the reasons that I mentioned, and sensible code would thus have to employ a lower limit, specific to REP, anyway. In which case, the overall limit on parameter decoding need not be the same as the REP-specific limit.

Conversely, a limit of 32767 on everything is not future-proof. One day, someone will come along with a control sequence that has a parameter value greater than that. Perhaps it will be an encoded 24-bit or 32-bit RGB value. Perhaps it will be a 21-bit Unicode code point. Perhaps it will be something that merely needs 16 bits instead of 15, as at least one control sequence already does.

Moreover, no this is not compatible with others, given that you've chosen a number different to them.

It is 2020. Surely we have learned by now not to put signed 16-bit limits into things, and not to be foolishly dismissive of the idea that 15 bits might not be enough? There's a huge body of past experience to learn from in that regard, quite a lot of it in Microsoft softwares. (The fact that it wasn't enough in the old console implementation, necessitating this one and bringing all of the current pain engendered by the old UCS-2 interfaces, seems particularly ironic here. Yes, people said exactly what you just said about 16 bits sufficing for Unicode in the future, too, and it wasn't the case.)

Your REP limit should be sensible, and much lower; and your general parameter decoding limit should be distinct from that, future-proof, and higher.

@jdebp commented on GitHub (Apr 28, 2020): _The limit that you had in that code_ wasn't that problematic. A limit of 32767 on the length of that string is not sensible, for the reasons that I mentioned, and sensible code would thus have to employ a lower limit, specific to REP, _anyway_. In which case, the overall limit on parameter decoding need not be the same as the REP-specific limit. Conversely, a limit of 32767 on _everything_ is not future-proof. One day, someone will come along with a control sequence that has a parameter value greater than that. Perhaps it will be an encoded 24-bit or 32-bit RGB value. Perhaps it will be a 21-bit Unicode code point. Perhaps it will be something that merely needs 16 bits instead of 15, as at least one control sequence already does. Moreover, no this is not compatible with others, given that you've chosen a number different to them. It is 2020. Surely we have learned by now not to put signed 16-bit limits into things, and not to be foolishly dismissive of the idea that 15 bits might not be enough? There's a huge body of past experience to learn from in that regard, quite a lot of it in Microsoft softwares. (The fact that it wasn't enough in the old console implementation, necessitating this one and bringing all of the current pain engendered by the old UCS-2 interfaces, seems particularly ironic here. Yes, people said exactly what you just said about 16 bits sufficing for Unicode in the future, too, and it wasn't the case.) Your REP limit should be sensible, and much lower; and your general parameter decoding limit should be distinct from that, future-proof, and higher.
claunia commented 2026-01-31 00:57:27 +00:00
Author
Owner
Copy Link

@DHowett-MSFT commented on GitHub (Apr 28, 2020):

I'm just happy that the clamping is happening in a single place and it'll give us the time to audit anything in the console host that isn't n>SHRT_MAX-safe. The cure here isn't worse than the disease -- we already had this limit, and this change just restored it.

@DHowett-MSFT commented on GitHub (Apr 28, 2020): I'm just happy that the clamping is happening in a single place and it'll give us the time to audit anything in the console host that isn't `n>SHRT_MAX`-safe. The cure here isn't worse than the disease -- we already had this limit, and this change just restored it.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Reserved
A11yCO
A11yMAS
A11ySev1
A11ySev2
A11ySev3
A11yTTValidated
A11yUsable
A11yVoiceAccess
A11yWCAG
Area-Accessibility
Area-AtlasEngine
Area-AzureShell
Area-Build
Area-Build
Area-Chat
Area-CmdPal
Area-CodeHealth
Area-Commandline
Area-CookedRead
Area-DefApp
Area-Extensibility
Area-Fonts
Area-GroupPolicy
Area-i18n
Area-Input
Area-Interaction
Area-Interop
Area-Localization
Area-Output
Area-Performance
Area-Portable
Area-Quality
Area-Remoting
Area-Rendering
Area-Schema
Area-Server
Area-Settings
Area-SettingsUI
Area-ShellExtension
Area-ShellExtension
Area-ShellExtension
Area-Suggestions
Area-Suggestions
Area-TerminalConnection
Area-TerminalControl
Area-Theming
Area-UserInterface
Area-VT
Area-Windowing
Area-WPFControl
AutoMerge
Blocking-Ingestion
Culprit-Centennial
Culprit-WinUI
Disability-All
Disability-Blind
Disability-LowVision
Disability-Mobility
External-Blocked-WinUI3
Fixed
Gathering-Data
good first issue
HCL-E+D
HCL-WindowsTerminal
Help Wanted
Impact-Compatibility
Impact-Compliance
Impact-Correctness
Impact-Visual
In-PR
InclusionBacklog
InclusionBacklog-Windows TerminalWin32
InclusionCommitted-202206
Issue-Bug
Issue-Docs
Issue-Feature
Issue-Feature
Issue-Question
Issue-Samples
Issue-Scenario
Issue-Task
Needs-Attention
Needs-Author-Feedback
Needs-Bisect
Needs-Discussion
Needs-Repro
Needs-Tag-Fix
Needs-Tag-Fix
Needs-Triage
No-Recent-Activity
Priority-0
Priority-1
Priority-2
Priority-3
Product-Cmd.exe
Product-Colortool
Product-Colortool
Product-Colortool
Product-Conhost
Product-Conpty
Product-Meta
Product-Powershell
Product-Terminal
Product-WSL
pull-request
Mirrored from GitHub Pull Request
 Resolution-Answered
Resolution-By-Design
Resolution-Duplicate
Resolution-External
Resolution-Fix-Available
Resolution-Fix-Committed
Resolution-No-Repro
Resolution-Won't-Fix
Severity-Blocking
Severity-Crash
Severity-DataLoss
spam
this-will-be-a-breaking-change
Tracking-External
WindowsTerminal_Win32
Work-Item
zAskModeBug
zInbox-Bug
No Label Area-VT Issue-Bug Needs-Triage Product-Conhost Resolution-Fix-Committed
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claunia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/terminal#7190
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?