From bddf8a8cb37fbc507d2c1ad17af610e73b0b5f19 Mon Sep 17 00:00:00 2001
From: Mitchell Hashimoto <mitchell.hashimoto@gmail.com>
Date: Fri, 18 Aug 2023 13:56:33 -0700
Subject: [PATCH] termio/exec: limit max apc string length

---
 src/termio/Exec.zig | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/termio/Exec.zig b/src/termio/Exec.zig
index 6e24217f8..ed016355c 100644
--- a/src/termio/Exec.zig
+++ b/src/termio/Exec.zig
@@ -1107,6 +1107,14 @@ const StreamHandler = struct {
         }
 
         try self.apc_data.append(self.alloc, byte);
+
+        // Prevent DoS attack.
+        const limit = 100 * 1024 * 1024; // 100MB
+        if (self.apc_data.items.len > limit) {
+            log.warn("APC command too large, ignoring", .{});
+            self.apc_state = .ignore;
+            self.apc_data.clearAndFree(self.alloc);
+        }
     }
 
     pub fn apcEnd(self: *StreamHandler) !void {