From: Chris Moore <[email protected]> Date: Fri, 7 Feb 2025 15:21:02 +0000 Subject: [psplash][PATCH] psplash.c: fix crash from length becoming negative
Fixes [Yocto #14806] If there is an error in read(), it returns -1 but this is just added to length without checking first. This can lead to a runaway negative value for length which eventually crashes when memchr() is called with the negative value. The fix is to check the return from read() first and handle the error state. Signed-off-by: Chris Moore <[email protected]> --- psplash.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/psplash.c b/psplash.c index ee1af6b..0db0aa4 100644 --- a/psplash.c +++ b/psplash.c @@ -140,6 +140,7 @@ psplash_main (PSplashFB *fb, int pipe_fd, int timeout) { int err; ssize_t length = 0; + ssize_t ret = 0; fd_set descriptors; struct timeval tv; char *end; @@ -170,15 +171,16 @@ psplash_main (PSplashFB *fb, int pipe_fd, int timeout) return; } - length += read (pipe_fd, end, sizeof(command) - (end - command)); + ret = read (pipe_fd, end, sizeof(command) - (end - command)); - if (length == 0) + if (ret <= 0) { /* Reopen to see if there's anything more for us */ close(pipe_fd); pipe_fd = open(PSPLASH_FIFO,O_RDONLY|O_NONBLOCK); goto out; } + length += ret; cmd = command; do { -- 2.45.2 Chris Moore Embedded Software Engineer @ [email protected] T +44 1273 477528 www.hanoverdisplays.comHanover Displays Ltd. Southerham House, Southerham Lane, Lewes, East Sussex BN8 6JN, UK Registered in England No: 1876684
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#64753): https://lists.yoctoproject.org/g/yocto/message/64753 Mute This Topic: https://lists.yoctoproject.org/mt/111098996/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
