Problem:
Currently undefined behavior can occur when `string_fragment()` is
called with `OSC_COMMAND`. This is because when the state changes to
`OSC_COMMAND`, `string_initial` is set to true. Then in some cases,
directly after this `string_initial` will be set back to false before
the on_osc callback is called, this leads to `term_settermprop()` never
initializing the title.
Solution:
In all of the no-op cases in `string_fragment()` currently, we continue
to the end of the function where `vt->parser.string_initial` is set to
false. This change returns in the no-op cases instead since in these
cases the string has not yet been terminated and sent to the callback.
Note:
This change also adds a test with a byte sequence from the file
in #34028 that caused nvim to crash. This byte sequences is the shortest
sequence I could trim down from that file that still would trigger the
crash. There are also two other tests I added which validate that
setting the title with OSC-0 and OSC-2 still works.
Fixes: #34028
When a C0 character is present in an OSC terminator (i.e. after the ESC
but before a \ (0x5c) or printable character), vterm executes the
control character and resets the current string fragment. If the C0
character is the final byte in the sequence, the string fragment has a
zero length. However, because the VT parser is still in the "escape"
state, vterm attempts to subtract 1 from the string length (to account
for the escape character). When the string fragment is empty, this
causes an underflow in the unsigned size variable, resulting in a buffer
overflow.
The fix is simple: explicitly check if the string length is non-zero
before subtracting.