Am 01.03.25 um 13:06 schrieb Сергей Губарёв:
From: Sergey Gubarev <[email protected]>
Good day, dear maintainer.
The value of the variable w (used for rendering width), obtained from an
external source, may be corrupted and could lead to an overflow in line_size
= width * 3.
cannot happen in reality.
Unless you have displays wider than roughly 1.43 Billion pixels.
I suggest considering adding a validation check for the received value.
I'm missing the bloatcheck so that it can be judged if the check that
never is going to trigger is worth increasing the code size.
Busybox 1.36.0
---
busybox/miscutils/fbsplash.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/busybox/miscutils/fbsplash.c b/busybox/miscutils/fbsplash.c
index 2934d8e..72282c0 100644
--- a/busybox/miscutils/fbsplash.c
+++ b/busybox/miscutils/fbsplash.c
@@ -401,6 +401,7 @@ static void fb_drawimage(void)
* - A raster of Width * Height pixels in triplets of rgb
* in pure binary by 1 or 2 bytes. (we support only 1 byte)
*/
+#define MAX_WIDTH (((unsigned int)(-1))/3)
#define concat_buf bb_common_bufsiz1
setup_common_bufsiz();
@@ -419,6 +420,9 @@ static void fb_drawimage(void)
&& max_color_val <= 255
) {
width = w; /* w is on stack, width may be in
register */
+ if (width == 0 || width > G.scr_var.xres || width >
MAX_WIDTH ) {
+ bb_error_msg_and_die("Invalid width in PPM
file '%s': %u", G.image_filename, w);
+ }
height = h;
break;
}
--
2.30.2
--
Stefan Seyfried
"For a successful technology, reality must take precedence over
public relations, for nature cannot be fooled." -- Richard Feynman
_______________________________________________
busybox mailing list
[email protected]
https://lists.busybox.net/mailman/listinfo/busybox
