Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix SetConsoleWindowInfo being able to crash ConPTY (#13212)
MSFT-33471786 is one of the most common crashes we have right now. Memory dumps suggest that `VtEngine::UpdateViewport` is called with a rectangle like `(0, 46, 119, 29)` (left, top, right, bottom), which is a rectangle of negative height. When the `_invalidMap` is resized the negative size gets turned into a very large unsigned integer, which results in an OOM exception, crashing OpenConsole. `VtEngine::UpdateViewport` is called by `Renderer::_CheckViewportAndScroll` which holds a (cached) old and a new viewport. The old viewport was `(0, 46, 119, 75)` which is exceedingly similar to the invalid, new viewport. It's bottom coordinate is also coincidentally larger by exactly 46 (top). The viewport comes from the `SCREEN_INFORMATION` class whose `SetViewport` function was highly suspicious as it has a branch which updates the bottom to be the buffer height, but leaves the top unmodified. `SCREEN_INFORMATION::SetViewport` is called by `SetConsoleWindowInfo` which processes user-provided data. A repro of the crash can be constructed with: ``` SMALL_RECT rect{0, 46, 119, 75}; SetConsoleWindowInfo(GetStdHandle(STD_OUTPUT_HANDLE), TRUE, &rect); ``` Closes #13193 Closes MSFT-33471786 ## Validation Steps Performed Ensured the following code doesn't crash when run under Windows Terminal: ``` SMALL_RECT rect{0, 46, 119, 75}; SetConsoleWindowInfo(GetStdHandle(STD_OUTPUT_HANDLE), TRUE, &rect); ``` (cherry picked from commit 7dbe741) Service-Card-Id: 82642053 Service-Version: 1.14
- Loading branch information