From 13419755f99c0329425de84a5fc126a0758ddcc2 Mon Sep 17 00:00:00 2001
From: Norman Feske <norman.feske@genode-labs.com>
Date: Mon, 16 Apr 2018 15:04:07 +0200
Subject: [PATCH] terminal: fix condition in zero-character handling

The condition must first check the io-buffer length and then check the
content. Otherwise, cat'ting a file that is padded with zeros up to
page size (io-buffer size) yields an out-of-range read access.
---
 repos/gems/src/server/terminal/session.h | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/repos/gems/src/server/terminal/session.h b/repos/gems/src/server/terminal/session.h
index 3adac9cfb9..dbd4131911 100644
--- a/repos/gems/src/server/terminal/session.h
+++ b/repos/gems/src/server/terminal/session.h
@@ -104,13 +104,18 @@ class Terminal::Session_component : public Rpc_object<Session, Session_component
 
 			unsigned i = 0;
 			for (Utf8_ptr utf8(src); utf8.complete() && i < max; ) {
+
 				_character_consumer.consume_character(utf8.codepoint().value);
+
 				i += utf8.length();
+				if (i >= max)
+					break;
+
 				utf8 = Utf8_ptr(src + i);
 			}
 
 			/* consume trailing zero characters */
-			for (; src[i] == 0 && i < num_bytes; i++);
+			for (; i < max && src[i] == 0; i++);
 
 			/* we don't support UTF-8 sequences split into multiple writes */
 			if (i != num_bytes) {