Commit 6c74e94a authored by Heinrich Schuchardt's avatar Heinrich Schuchardt Committed by Tom Rini
Browse files

lib/display_options: avoid illegal memory access



display_options_get_banner_priv() overwrites bytes before the start of the
buffer if the buffer size is less then 3. This case occurs in the Sandbox
when executing the `ut_print` command.

Correctly handle small buffer sizes. Adjust the print unit test to catch
when bytes before the buffer are overwritten.
Signed-off-by: default avatarHeinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: default avatarSimon Glass <sjg@chromium.org>
parent ed885e75
...@@ -23,7 +23,9 @@ char *display_options_get_banner_priv(bool newlines, const char *build_tag, ...@@ -23,7 +23,9 @@ char *display_options_get_banner_priv(bool newlines, const char *build_tag,
build_tag); build_tag);
if (len > size - 3) if (len > size - 3)
len = size - 3; len = size - 3;
strcpy(buf + len, "\n\n"); if (len < 0)
len = 0;
snprintf(buf + len, size - len, "\n\n");
return buf; return buf;
} }
......
...@@ -79,14 +79,18 @@ static int do_ut_print(cmd_tbl_t *cmdtp, int flag, int argc, ...@@ -79,14 +79,18 @@ static int do_ut_print(cmd_tbl_t *cmdtp, int flag, int argc,
assert(s == str); assert(s == str);
assert(!strcmp("\n\nU-Boo\n\n", s)); assert(!strcmp("\n\nU-Boo\n\n", s));
s = display_options_get_banner(true, str, 1); /* Assert that we do not overwrite memory before the buffer */
assert(s == str); str[0] = '`';
assert(!strcmp("", s)); s = display_options_get_banner(true, str + 1, 1);
assert(s == str + 1);
s = display_options_get_banner(true, str, 2); assert(!strcmp("`", str));
assert(s == str);
assert(!strcmp("\n", s)); str[0] = '~';
s = display_options_get_banner(true, str + 1, 2);
assert(s == str + 1);
assert(!strcmp("~\n", str));
/* The last two characters are set to \n\n for all buffer sizes > 2 */
s = display_options_get_banner(false, str, sizeof(str)); s = display_options_get_banner(false, str, sizeof(str));
assert(s == str); assert(s == str);
assert(!strcmp("U-Boot \n\n", s)); assert(!strcmp("U-Boot \n\n", s));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment