| From 395450a217101d41b5ead0bc0330adb87e134d0f Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Fri, 27 Sep 2024 22:34:24 +0300 |
| Subject: fbdev: sisfb: Fix strbuf array overflow |
| |
| From: Andrey Shumilin <shum.sdl@nppct.ru> |
| |
| [ Upstream commit 9cf14f5a2746c19455ce9cb44341b5527b5e19c3 ] |
| |
| The values of the variables xres and yres are placed in strbuf. |
| These variables are obtained from strbuf1. |
| The strbuf1 array contains digit characters |
| and a space if the array contains non-digit characters. |
| Then, when executing sprintf(strbuf, "%ux%ux8", xres, yres); |
| more than 16 bytes will be written to strbuf. |
| It is suggested to increase the size of the strbuf array to 24. |
| |
| Found by Linux Verification Center (linuxtesting.org) with SVACE. |
| |
| Signed-off-by: Andrey Shumilin <shum.sdl@nppct.ru> |
| Signed-off-by: Helge Deller <deller@gmx.de> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/video/fbdev/sis/sis_main.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/drivers/video/fbdev/sis/sis_main.c b/drivers/video/fbdev/sis/sis_main.c |
| index 009bf1d926448..75033e6be15ab 100644 |
| --- a/drivers/video/fbdev/sis/sis_main.c |
| +++ b/drivers/video/fbdev/sis/sis_main.c |
| @@ -183,7 +183,7 @@ static void sisfb_search_mode(char *name, bool quiet) |
| { |
| unsigned int j = 0, xres = 0, yres = 0, depth = 0, rate = 0; |
| int i = 0; |
| - char strbuf[16], strbuf1[20]; |
| + char strbuf[24], strbuf1[20]; |
| char *nameptr = name; |
| |
| /* We don't know the hardware specs yet and there is no ivideo */ |
| -- |
| 2.43.0 |
| |
