raspi/linux
1
0
Fork 1
mirror of https://github.com/raspberrypi/linux.git synced 2025-12-06 10:00:17 +00:00
Code Issues Projects Releases Wiki Activity

speakup: Fix sizeof() vs ARRAY_SIZE() bug

Browse Source 
commit 008ab3c53b upstream.

The "buf" pointer is an array of u16 values.  This code should be
using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),
otherwise it can the still got out of bounds.

Fixes: c8d2f34ea9 ("speakup: Avoid crash on very long word")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Link: https://lore.kernel.org/r/d16f67d2-fd0a-4d45-adac-75ddd11001aa@moroto.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Dan Carpenter
2024-04-15 14:02:23 +03:00
committed by Greg Kroah-Hartman
parent fa5703bfa1
commit d52c04474f
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/accessibility/speakup/main.c
View File

@@ -574,7 +574,7 @@ static u_long get_word(struct vc_data *vc)
} }
attr_ch = get_char(vc, (u_short *)tmp_pos, &spk_attr); attr_ch = get_char(vc, (u_short *)tmp_pos, &spk_attr);
buf[cnt++] = attr_ch; buf[cnt++] = attr_ch;
while (tmpx < vc->vc_cols - 1 && cnt < sizeof(buf) - 1) { while (tmpx < vc->vc_cols - 1 && cnt < ARRAY_SIZE(buf) - 1) {
tmp_pos += 2; tmp_pos += 2;
tmpx++; tmpx++;
ch = get_char(vc, (u_short *)tmp_pos, &temp); ch = get_char(vc, (u_short *)tmp_pos, &temp);