Bound OSC index before reads in wolfSSH_DoOSC

[yosuke-wolfssl]

Fix out-of-bounds read in wolfSSH_DoOSC on truncated OSC sequences

Summary

wolfSSH_DoOSC read buf[*idx] without first checking *idx < bufSz. The
caller wolfSSH_ConvertConsole only guards i + 1 < bufSz before forwarding
z = i + 2 as *idx, so *idx can equal bufSz. A peer-supplied
channel-data buffer whose last two bytes are ESC ] (0x1B 0x5D) drives
wolfSSH_DoOSC to dereference buf[bufSz] — one byte past the heap
allocation — at the very first conditional.

Two adjacent reads inside the OSC '0' (set icon/window title) handler shared
the same flaw: the ; check after *idx += 1, and the post-loop BEL test that
read buf[i] when the scan reached i == bufSz.

This code is compiled only under USE_WINDOWS_API and is reached through the
documented wolfSSH_ConvertConsole API when an external (Windows) consumer
feeds received channel-data bytes into it.

Changes

src/wolfterm.c

• Add an entry guard to wolfSSH_DoOSC: when *idx >= bufSz, drop the
  sequence (return WS_SUCCESS) before any buf[*idx] read.
• Guard the ; read in the title handler after *idx += 1.
• Replace the post-loop buf[i] != 0x07 test with i >= bufSz, and set
  *idx = bufSz so a truncated title is consumed/dropped rather than emitted
  as raw console output.
• Truncated OSC input is dropped consistently (WS_SUCCESS) instead of
  returning WS_WANT_READ. wolfSSH_DoOSC has no resume path — it never saves
  state to escBuf and escState is never set to WS_ESC_OSC — so a
  WS_WANT_READ would leave broken parser state (escState == WS_ESC_START,
  escBufSz == 0) and mis-parse the continuation buffer on re-entry.

tests/api.c

• Extend test_wolfSSH_ConvertConsole with OSC vectors covering each new
  bounds check — buffers ending at ESC ], ESC ] 0, and ESC ] 0 ; title
  (no BEL) — plus a well-formed ESC ] 0 ; hi BEL positive control.

.github/workflows/windows-check.yml

• Add an asan-tests job that builds and runs api-test and unit-test under
  the MSVC AddressSanitizer. This is the only CI job that exercises the
  USE_WINDOWS_API console code (wolfSSH_DoOSC) under a sanitizer: the
  existing sanitizer.yml runs on Linux, where wolfterm.c is compiled out,
  so the OSC path previously had no sanitizer coverage.
  • Discovers an installed MSVC toolset that ships the ASan runtime libs (the
    pinned v142 does not) and builds the whole job with it.
  • Builds with /p:EnableASAN=true (instrumenting the referenced wolfssh
    library and src/wolfterm.c) and /p:WholeProgramOptimization=false so
    objects/libs link without a cross-version /GL code-generation conflict.
  • Emits explicit signals so a green run is meaningful: a positive-control
    canary proving ASan detects an overflow on the runner, a dumpbin
    assertion that the test binaries import the ASan runtime, and
    ASAN_OPTIONS=print_stats=1 for in-process evidence.

Testing

• Existing tests/api.c suite. The new OSC vectors run on USE_WINDOWS_API
  builds via the api-test binary.
• The fixed logic was extracted into a standalone harness and run under
  ASan + UBSan locally: clean on the PoC and all truncation/well-formed cases.
  A negative control with the guard removed reproduced the original
  heap-buffer-overflow READ of size 1, 0 bytes after a 2-byte region.
• New Windows asan-tests CI job is green: the positive control reports
  AddressSanitizer: stack-buffer-overflow then continues, the test binaries
  are confirmed linked against the ASan runtime, and api-test/unit-test
  run clean under ASan.

[Copilot]

Pull request overview

This PR fixes a Windows-only out-of-bounds read in the terminal escape-sequence parser by adding explicit bounds checks in wolfSSH_DoOSC (OSC / ESC ] handling) and extending the API test suite to cover truncated OSC inputs. This hardens the documented wolfSSH_ConvertConsole API against peer-supplied channel-data buffers that end mid-OSC sequence.

Changes:

• Add an entry guard in wolfSSH_DoOSC to prevent dereferencing buf[*idx] when *idx >= bufSz.
• Add additional bounds handling in the OSC '0' title handler (guard the ; read and avoid buf[i] reads when i == bufSz).
• Extend test_wolfSSH_ConvertConsole with truncated and well-formed OSC vectors to exercise the new bounds checks.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
src/wolfterm.c	Adds bounds checks and safer truncation handling in OSC parsing to prevent OOB reads.
tests/api.c	Adds Windows-only API test vectors for truncated and valid OSC sequences to validate the fix.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #1035

Scan targets checked: wolfssh-bugs, wolfssh-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #1035

Scan targets checked: wolfssh-bugs, wolfssh-src

No new issues found in the changed files. ✅