https://gitlab.synchro.net/main/sbbs/-/commit/1024d7e8b341382e4879442b
Modified Files:
src/conio/cterm.c
Log Message:
Fix ATASCII cursor left/right/backspace assigning to wrong variable

Cursor left (case 30) and cursor right (case 31) were clamping y
instead of x when the column went out of bounds, corrupting the
cursor row position. Backspace (case 126) wrap to previous line
set y = CURR_MAXY instead of x = CURR_MAXX. Note: backspace wrap
behavior needs verification against real Atari 8-bit hardware.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

https://gitlab.synchro.net/main/sbbs/-/commit/562ed4bd1dde9067de65da78
Modified Files:
src/conio/cterm.c
Log Message:
Fix ATASCII cursor movement wrap behavior and backspace

Cursor movement (up/down/left/right) wraps to the opposite edge of the
same row or column, matching real Atari hardware behavior. Backspace
does not wrap — it sticks at the left margin.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

https://gitlab.synchro.net/main/sbbs/-/commit/d0be28bdfbb1b0c26ce8a723
Modified Files:
src/conio/cterm.c
Log Message:
Clamp SU/SD scroll count to scroll region height

CSI Ps S (Scroll Up) and CSI Ps T (Scroll Down) looped param_int[0]
times calling cterm_scrollup()/scrolldown() individually. With a huge
parameter (e.g. ESC[65536T), this performed tens of thousands of
movetext + clear operations, hanging the terminal for seconds — a low-bandwidth DoS from a 9-byte sequence.

Clamp the count to TERM_MAXY (the scroll region height). Scrolling
more lines than the region contains is equivalent to clearing it.
This matches how IL, DL, ICH, and DCH all clamp their counts already.

Found by ANSI fuzz testing (termtest.js).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

https://gitlab.synchro.net/main/sbbs/-/commit/1ca9c740a257a2eb93f86bf9
Modified Files:
src/conio/cterm.c
Log Message:
Fix uint64-to-int truncation and wrong variable in CSI parameter clamps

Six fixes for CSI sequence handlers where seq->param_int[] (uint64_t)
values could bypass bounds clamps:

ICH '@' (Insert Character): The clamp compared against cterm->width - j
where j is the Y/row coordinate — should be the X/column coordinate.
Replaced with TERM_MAXX - i + 1 (where i is the column), matching the
pattern DCH already uses. Without this fix, in tall narrow terminals
where row > width, the subtraction underflows to a huge uint64_t,
bypassing the clamp entirely and passing garbage to movetext().

IL 'L' (Insert Line): Added if(i < 1) break after i = seq->param_int[0].
The uint64-to-int assignment can produce negative values (e.g. param
0x80000000 becomes INT_MIN) that pass the i > TERM_MAXY - row check,
then cause integer overflow in movetext(... max_row - i ...).

DCH 'P' (Delete Character): Same truncation issue. Negative i bypasses
i > TERM_MAXX - col + 1, then overflows movetext(col2 + i, ...) and cterm_gotoxy(TERM_MAXX - i, ...).

ECH 'X' (Erase Character): Negative i bypasses i > CURR_MAXX - col,
then malloc(negative * sizeof) promotes to a huge size_t allocation
that returns NULL, leading to a NULL dereference in vmem_puttext().

Shift Left ' @' and Shift Right ' A': Same truncation pattern. Negative
i bypasses the i > TERM_MAXX / i > cterm->width clamps, producing bad movetext() coordinates.

All found via ANSI fuzz testing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

https://gitlab.synchro.net/main/sbbs/-/commit/730a519045111adc5b4db23f
Modified Files:
src/conio/cterm.c
Log Message:
Add missing #include <stdarg.h> in cterm.c

cterm_respond_printf() uses va_list/va_start/va_end which require
stdarg.h. Builds on FreeBSD pulled it in transitively but OpenBSD
CI caught the missing include.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

https://gitlab.synchro.net/main/sbbs/-/commit/13db692a7140a52beaae7244
Modified Files:
src/conio/cterm.c
Log Message:
New commands, new CVS revision.
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

https://gitlab.synchro.net/main/sbbs/-/commit/aa2749d1664734bcdd6932a1
Modified Files:
src/conio/cterm.c
Log Message:
Derp. Fix last commit
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

https://gitlab.synchro.net/main/sbbs/-/commit/da1f2e19a4e86caca94ac62c
Modified Files:
src/conio/cterm.c
Log Message:
Fix DECRQSS handling.

When an "invalid" sequence or setting is selected, it should not
be echoed back.

Also, many classes of invalid were not getting any response.
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

https://gitlab.synchro.net/main/sbbs/-/commit/00ef32f63c2f496e6c37ec21
Modified Files:
src/conio/cterm.c
Log Message:
Fix various Sixel related vulnerabilities.

All found by JQuast and graciously reported via IRC.
Thanks!
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

https://gitlab.synchro.net/main/sbbs/-/commit/563a58c479b8d2979aeeea01
Modified Files:
src/conio/cterm.c
Log Message:
Fix stack overflow parsing DECRQSS

Reported by JQuast over IRC.
Thanks!
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)