diff mbox

[U-Boot] Buffer overflow in driver/video/cfb_console.c

Message ID CANCW2kVBSDQQ4R99Wpm0u25q0v2QcagoW_PBgEGSQu03BWTnhw@mail.gmail.com
State Deferred
Delegated to: Anatolij Gustschin
Headers show

Commit Message

Frédéric Nadeau April 15, 2015, 11:17 p.m. UTC 
Hi,

I found a buffer overflow
​ ​
in console_clear() which result in a system reset in my case.

F
​u​
nction console_clear_line() uses ">> 2" when calling memsetl.
​Function console_scrollup() ​
​
uses ">> 2"
​​
when calling memcpyl.
Function
​​
video_clear()
​uses
"/ size(int)"
​
​
when calling memsetl
​
.

​">> 2" could be replace by "/ size(int)" as in ​
​
video_clear().
I used ">> 2" strictly because console functions are written that way.

​CONSOLE_SIZE is expressed in byte(X * Y * bytes per pixel) and memsetl
uses int(4 bytes) as copy size. In n
​
console_clear(), this result in writing 4 times the buffer size.

Best regards
Frédéric Nadeau

​>> 2​
, bgx);
 #endif
 }
diff mbox

Patch

diff --git a/drivers/video/cfb_console.c b/drivers/video/cfb_console.c
index a81affa..620935e 100644
--- a/drivers/video/cfb_console.c
+++ b/drivers/video/cfb_console.c
@@ -798,7 +798,7 @@  static void
​​
​​
console_clear(void)
                          bgx                   /* fill color */
        );
 #else
-       memsetl(CONSOLE_ROW_FIRST, CONSOLE_SIZE, bgx);
+       memsetl(CONSOLE_ROW_FIRST, CONSOLE_SIZE