Am 01.03.25 um 13:08 schrieb Сергей Губарёв:
From: Sergey Gubarev <[email protected]>
Good day, dear maintainer.
The value of the variable h (used for rendering height), obtained from an
external source, may be corrupted.
I suggest considering adding a validation check for the received value.
Patch does not match description, it does nothing with height.
Also, the value of height is sanity checked later, so nothing bad is
going to happen.
Well, actually the bootsplash picture might be rendered wrong if it is
corrupted, but that's to be expected anyway ;-)
Is this some crazy automatic code checking effort?
Busybox 1.36.0
---
busybox/miscutils/fbsplash.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/busybox/miscutils/fbsplash.c b/busybox/miscutils/fbsplash.c
index 2934d8e..72282c0 100644
--- a/busybox/miscutils/fbsplash.c
+++ b/busybox/miscutils/fbsplash.c
@@ -401,6 +401,7 @@ static void fb_drawimage(void)
* - A raster of Width * Height pixels in triplets of rgb
* in pure binary by 1 or 2 bytes. (we support only 1 byte)
*/
+#define MAX_WIDTH (((unsigned int)(-1))/3)
#define concat_buf bb_common_bufsiz1
setup_common_bufsiz();
@@ -419,6 +420,9 @@ static void fb_drawimage(void)
&& max_color_val <= 255
) {
width = w; /* w is on stack, width may be in
register */
+ if (width == 0 || width > G.scr_var.xres || width >
MAX_WIDTH ) {
+ bb_error_msg_and_die("Invalid width in PPM
file '%s': %u", G.image_filename, w);
+ }
height = h;
break;
}
--
2.30.2
--
Stefan Seyfried
"For a successful technology, reality must take precedence over
public relations, for nature cannot be fooled." -- Richard Feynman
_______________________________________________
busybox mailing list
[email protected]
https://lists.busybox.net/mailman/listinfo/busybox
