diff options
author | Patrick Georgi <pgeorgi@google.com> | 2018-09-18 18:01:02 +0200 |
---|---|---|
committer | Patrick Georgi <pgeorgi@google.com> | 2018-11-06 14:07:58 +0000 |
commit | d840e2b3f019cd37920d6a2ca3c4cfd6f5432699 (patch) | |
tree | 972525518a8e8d29f949e33153b7a92c7a8d12f6 /src/lib/edid.c | |
parent | d13b41124b37ae9e86169c55dd9ff7ca1e972ec4 (diff) | |
download | coreboot-d840e2b3f019cd37920d6a2ca3c4cfd6f5432699.tar.xz |
src/lib/edid: avoid buffer overflow
It's more theoretical, but lest somebody calls extract_string()
with too large a length...
Change-Id: I3934bd6965318cdffe5c636b01b3e0c4426e8d1d
Signed-off-by: Patrick Georgi <pgeorgi@google.com>
Found-by: Coverity Scan #1374795
Reviewed-on: https://review.coreboot.org/28659
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Diffstat (limited to 'src/lib/edid.c')
-rw-r--r-- | src/lib/edid.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/src/lib/edid.c b/src/lib/edid.c index fbd8ef65f5..957897ef52 100644 --- a/src/lib/edid.c +++ b/src/lib/edid.c @@ -175,12 +175,12 @@ detailed_cvt_descriptor(unsigned char *x, int first) static char * extract_string(unsigned char *x, int *valid_termination, int len) { - static char ret[128]; + static char ret[EDID_ASCII_STRING_LENGTH + 1]; int i, seen_newline = 0; memset(ret, 0, sizeof(ret)); - for (i = 0; i < len; i++) { + for (i = 0; i < min(len, EDID_ASCII_STRING_LENGTH); i++) { if (seen_newline) { if (x[i] != 0x20) { *valid_termination = 0; @@ -285,7 +285,7 @@ detailed_block(struct edid *result_edid, unsigned char *x, int in_extension, printk(BIOS_SPEW, "Monitor name: %s\n", extract_string(x + 5, &c->has_valid_string_termination, - 13)); + EDID_ASCII_STRING_LENGTH)); return 1; case 0xFD: { @@ -477,7 +477,8 @@ detailed_block(struct edid *result_edid, unsigned char *x, int in_extension, case 0xFF: printk(BIOS_SPEW, "Serial number: %s\n", extract_string(x + 5, - &c->has_valid_string_termination, 13)); + &c->has_valid_string_termination, + EDID_ASCII_STRING_LENGTH)); return 1; default: printk(BIOS_SPEW, |