Patrick Georgi has uploaded this change for review. ( https://review.coreboot.org/28659
Change subject: src/lib/edid: avoid buffer overflow ......................................................................
src/lib/edid: avoid buffer overflow
It's more theoretical, but lest somebody calls extract_string() with too large a length...
Change-Id: I3934bd6965318cdffe5c636b01b3e0c4426e8d1d Signed-off-by: Patrick Georgi pgeorgi@google.com Found-by: Coverity Scan #1374795 --- M src/lib/edid.c 1 file changed, 4 insertions(+), 4 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/59/28659/1
diff --git a/src/lib/edid.c b/src/lib/edid.c index 9cf9b8a..0bfd20f 100644 --- a/src/lib/edid.c +++ b/src/lib/edid.c @@ -175,12 +175,12 @@ static char * extract_string(unsigned char *x, int *valid_termination, int len) { - static char ret[128]; + static char ret[EDID_ASCII_STRING_LENGTH + 1]; int i, seen_newline = 0;
memset(ret, 0, sizeof(ret));
- for (i = 0; i < len; i++) { + for (i = 0; i < min(len, EDID_ASCII_STRING_LENGTH); i++) { if (seen_newline) { if (x[i] != 0x20) { *valid_termination = 0; @@ -284,7 +284,7 @@ printk(BIOS_SPEW, "Monitor name: %s\n", extract_string(x + 5, &c->has_valid_string_termination, - 13)); + EDID_ASCII_STRING_LENGTH)); return 1; case 0xFD: { @@ -476,7 +476,7 @@ case 0xFF: printk(BIOS_SPEW, "Serial number: %s\n", extract_string(x + 5, - &c->has_valid_string_termination, 13)); + &c->has_valid_string_termination, EDID_ASCII_STRING_LENGTH)); return 1; default: printk(BIOS_SPEW,
-
Patrick Georgi (Code Review)