bug report: xgifb: buffer overflow issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Arnaud,

Smatch reported a couple of array overflows in the new xgifb driver
which was added to staging.

drivers/staging/xgifb/XGI_main_26.c +3080 xgifb_probe(125)
	error: strcpy() "0.84" too large for XGIhw_ext.szVBIOSVer (5 vs 4)
  3076            XGIhw_ext.pjCustomizedROMImage = NULL;
  3077            XGIhw_ext.bSkipDramSizing = 0;
  3078            XGIhw_ext.pQueryVGAConfigSpace = &XGIfb_query_VGA_config_space;
  3079  //      XGIhw_ext.pQueryNorthBridgeSpace = &XGIfb_query_north_bridge_space;
  3080            strcpy(XGIhw_ext.szVBIOSVer, "0.84");
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

XGIhw_ext.szVBIOSVer is an array of 4 characters but "0.84" is 5
characters long counting the NULL terminator.

vers/staging/xgifb/XGI_main_26.c +1733 XGIfb_get_fix(6)
	error: strcpy() myid too large for fix->id (20 vs 16)
  1730          DEBUGPRN("inside get_fix");
  1731          memset(fix, 0, sizeof(struct fb_fix_screeninfo));
  1732  
  1733          strcpy(fix->id, myid);
                ^^^^^^^^^^^^^^^^^^^^^

myid is 20 characters long and fix->id is 16 characters long.  I suggest
maybe change the myid to 16 characters and also use:
 
	strlcpy(fix->id, myid, sizeof(fix->id));

I would have sent a patch to do this, but I don't think myid is actually
initialized anywhere.  What should the myid string to say?

regards,
dan carpenter
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel


[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux