From 48ab623f594d60dbbfb1e767d9686d380ce547fb Mon Sep 17 00:00:00 2001 From: Kovid Goyal Date: Sat, 21 Mar 2026 17:23:06 +0530 Subject: [PATCH] Graphics protocol: Fix crash when handling invalid PNG image with direct transmission --- docs/changelog.rst | 2 ++ kitty/graphics.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/changelog.rst b/docs/changelog.rst index 87ce49374..a98152d78 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -170,6 +170,8 @@ Detailed list of changes - Fix thickness of diagonal lines in box drawing characters not the same as horizontal/vertical lines (:iss:`9719`) +- Graphics protocol: Fix crash when handling invalid PNG image with direct transmission + 0.46.2 [2026-03-21] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/kitty/graphics.c b/kitty/graphics.c index 3cfec4ba3..944c21dab 100644 --- a/kitty/graphics.c +++ b/kitty/graphics.c @@ -555,7 +555,7 @@ load_image_data(GraphicsManager *self, Image *img, const GraphicsCommand *g, con case 'd': // direct if (load_data->buf_capacity - load_data->buf_used < g->payload_sz) { if (load_data->buf_used + g->payload_sz > MAX_DATA_SZ || data_fmt != PNG) ABRT("EFBIG", "Too much data"); - load_data->buf_capacity = MIN(2 * load_data->buf_capacity, MAX_DATA_SZ); + load_data->buf_capacity = MAX(MIN(2 * load_data->buf_capacity, MAX_DATA_SZ), load_data->buf_used + g->payload_sz); load_data->buf = realloc(load_data->buf, load_data->buf_capacity); if (load_data->buf == NULL) { load_data->buf_capacity = 0; load_data->buf_used = 0;