devs/foxbox
1
0
Fork 0
forked from len0rd/rockbox
Code Pull requests Activity

put_line(): Fix buffer overflow.

Browse source 
At the end of the format string it wrote a last byte (or inline string) past
the end of the lcd boundaries, potentially overwriting unrelated memory. It
now makes sure it won't exceed the viewport's width.

Change-Id: Id4cfce918e8b070b7fc3c7d33f389f7a171963ff
This commit is contained in:
Thomas Martitz 2014-01-12 17:31:53 +01:00
parent 3ae73433ab
commit 193911af76
1 changed files with 5 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
apps/gui/line.c
View file

@ -184,6 +184,7 @@ static void print_line(struct screen *display,
enum themable_icons icon; enum themable_icons icon;
char tempbuf[MAX_PATH+32]; char tempbuf[MAX_PATH+32];
unsigned int tempbuf_idx; unsigned int tempbuf_idx;
int max_width = display->getwidth();
height = line->height == -1 ? display->getcharheight() : line->height; height = line->height == -1 ? display->getcharheight() : line->height;
icon_h = get_icon_height(display->screen_type); icon_h = get_icon_height(display->screen_type);
@ -195,7 +196,7 @@ static void print_line(struct screen *display,
y += height/2 - display->getcharheight()/2; y += height/2 - display->getcharheight()/2;
/* parse format string */ /* parse format string */
while (1) while (xpos < max_width)
{ {
ch = *fmt++; ch = *fmt++;
/* need to check for escaped '$' */ /* need to check for escaped '$' */
@ -280,7 +281,8 @@ next:
DEBUGF("%s ", ch ? "put_line: String truncated" : ""); DEBUGF("%s ", ch ? "put_line: String truncated" : "");
} }
if (!ch) if (!ch)
{ /* end of string. put it online */ { /* end of format string. flush pending inline string, if any */
if (tempbuf[0])
put_text(display, xpos, y, line, tempbuf, false, 0); put_text(display, xpos, y, line, tempbuf, false, 0);
return; return;
} }