From c8882178ed5564e4d59bd94e1db26f89796da822 Mon Sep 17 00:00:00 2001
From: nick black <dankamongmen@gmail.com>
Date: Wed, 6 Apr 2022 04:52:50 -0400
Subject: [PATCH] terminate potential escape on incomplete buffer #2647

---
 src/lib/in.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/lib/in.c b/src/lib/in.c
index ccc560541..8dc97890e 100644
--- a/src/lib/in.c
+++ b/src/lib/in.c
@@ -2159,9 +2159,9 @@ process_escape(inputctx* ictx, const unsigned char* buf, int buflen){
 }
 
 // process as many control sequences from |buf|, having |bufused| bytes,
-// as we can. anything not a valid control sequence is dropped. this text
-// needn't be valid UTF-8. this is always called on tbuf; if we find bulk data
-// here, we need replay it into ibuf (assuming that there's room).
+// as we can. this text needn't be valid UTF-8. this is always called on
+// tbuf; if we find bulk data here, we need replay it into ibuf (assuming
+// that there's room).
 static void
 process_escapes(inputctx* ictx, unsigned char* buf, int* bufused){
   int offset = 0;
@@ -2289,6 +2289,7 @@ process_bulk(inputctx* ictx, unsigned char* buf, int* bufused){
 static void
 process_melange(inputctx* ictx, const unsigned char* buf, int* bufused){
   int offset = 0;
+  int origlen = *bufused;
   while(*bufused){
     logdebug("input %d (%u)/%d [0x%02x] (%c)", offset, ictx->amata.used,
              *bufused, buf[offset], isprint(buf[offset]) ? buf[offset] : ' ');
@@ -2297,7 +2298,7 @@ process_melange(inputctx* ictx, const unsigned char* buf, int* bufused){
       consumed = process_escape(ictx, buf + offset, *bufused);
       if(consumed < 0){
         if(ictx->midescape){
-          if(*bufused != -consumed){
+          if(*bufused != -consumed || *bufused == origlen){
             // not at the end; treat it as input. no need to move between
             // buffers; simply ensure we process it as input, and don't mark
             // anything as consumed.