From af63d94017a26cbf3446219de5ced30e677e0f13 Mon Sep 17 00:00:00 2001
From: Benno Schulenberg <bensberg@telfort.nl>
Date: Sun, 12 Dec 2021 15:43:15 +0100
Subject: [PATCH 36/38] input: ensure that no more bytes are consumed than are
 available

The value of 'consumed' may not exceed the given 'length'.

Bug existed since version 2.9.3, commit e739448c.

(Bug was found by studying Fedora crash reports.  Thank you, Fedora!)
---
 src/winio.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/winio.c b/src/winio.c
index 1116c172..e12d6e6b 100644
--- a/src/winio.c
+++ b/src/winio.c
@@ -466,8 +466,9 @@ int convert_SS3_sequence(const int *seq, size_t length, int *consumed)
 /* Translate a sequence that began with "Esc [" to its corresponding key code. */
 int convert_CSI_sequence(const int *seq, size_t length, int *consumed)
 {
-	if (seq[0] < '9')
+	if (seq[0] < '9' && length > 1)
 		*consumed = 2;
+
 	switch (seq[0]) {
 		case '1':
 			if (length > 1 && seq[1] == '~')
-- 
2.37.4